Configuring an RTU as a Modbus Master · to 1, in this case use a PLC TYPE value of 14 in the Point Map. Other Ethernet Modbus devices need to have the transmission ID field set to

RTU AS A MODBUS MASTER

Effective: 03/28/13

Revision: D

All information contained in this document is the sole property of HSQ Technology. Any reproduction in part or whole without the written permission of HSQ Technology is prohibited.

PAGE: 1 of 38

Configuring an HSQ RTU as a Modbus Master

CONTENTS

Overview.......................................................................................................................... 3

Scope and Intended Audience ................................................................................................................ 3

About this Document .............................................................................................................................. 3

How Data is Stored in Modbus ......................................................................................... 4

Supported Point Types, Registers, and Functions ............................................................ 5

Modbus Point Types ................................................................................................................................ 5

Modbus Registers .................................................................................................................................... 5

Read Function Codes ............................................................................................................................... 5

Write Function Codes .............................................................................................................................. 6

Modbus Data and Control Functions ...................................................................................................... 6

Modbus Master Operations Using Ethernet .................................................................... 7

Modbus Master Operations Using Serial Lines ................................................................. 8

Simultaneous Operation Using Serial and Ethernet ............................................................................... 8

PLC Table Entries and Modbus Registers ......................................................................... 9

Contiguous Registers into Contiguous Points ......................................................................................... 9

Non-Contiguous Registers into Contiguous Points ............................................................................... 10

Reading Modbus Table Values into Points ..................................................................... 11

Modbus Handling of Read Errors .......................................................................................................... 11

Using Modbus Read Function Code 1 and 2 ......................................................................................... 12

Calculating the Resulting Value ....................................................................................................................... 12

Using Modbus Read Function Code 3 and 4 ......................................................................................... 12

Calculating the Resulting Value for AI and AO Points ..................................................................................... 12

Calculating the Resulting Value for DI and DV Points ..................................................................................... 12

Host COS Considerations ....................................................................................................................... 13


]


PAGE: 2 of 38

RTU MASK Value ............................................................................................................ 13

Using All Bits Read from the Modbus Device ........................................................................................ 13

Using Only Some of the Bits Read from the Modbus Device ................................................................ 13

32-Bit Modbus Value Processing ........................................................................................................... 14

32-Bit Modbus Integer COS Points .................................................................................................................. 14

32-Bit Modbus Floating Point COS Points ....................................................................................................... 16

Writing Point Values to Modbus Table Entries ............................................................... 17

Using Modbus Write Function Code 5 and 15 ...................................................................................... 18

Single and Multiple Modbus Commands ........................................................................................................ 18

Using Modbus Write Function Code 6 and 16 ...................................................................................... 18

Using Modbus Write Function Code 6 and 16 with DV Points ............................................................. 19

Using Modbus Command 22 ................................................................................................................. 19

Creating a Modbus Point Map ....................................................................................... 20

Creating a PLC Board Type .................................................................................................................... 20

PLC Table Field Entries..................................................................................................................................... 21

Example of an AI with Read Function Code 4 ....................................................................................... 23

Example of a DI with Read Function Code 2 ......................................................................................... 24

Example of an AO with Read Function Code 3 and Write Function Code 16 ....................................... 25

Example of a DV with Write Function Code 6 ....................................................................................... 26

Appendix – Message Format Examples .......................................................................... 28

Read Coil Status ..................................................................................................................................... 28

Read Input Status .................................................................................................................................. 29

Read Holding Registers .......................................................................................................................... 30

Read Input Registers ............................................................................................................................. 31

Force Single Coil .................................................................................................................................... 32

Preset Single Register ............................................................................................................................ 33

Force Multiple Coils ............................................................................................................................... 34

Preset Multiple Registers ...................................................................................................................... 35

Exception Responses (Error Codes)....................................................................................................... 36

Supported Error Codes .................................................................................................................................... 37


]


PAGE: 3 of 38

Overview

Modbus is a communication protocol used to establish Master-Slave communications between industrial,

electronic devices. The Master initiates communications and the Slave device replies. An HSQ RTU can act as a

Modbus Master and poll Modbus Slave devices. This means the RTU serves as a gateway between Modbus

devices and the MISER Host. Communication between the Master and the Slave is available via either serial or

Ethernet or both. Registers on the Modbus devices are treated as Analog Inputs, Analog Outputs, Digital Inputs,

and Device Points in special entries in the RTU Point Map called PLC Boards.

When the RTU is operating as a Modbus Master it can address individual Slaves, which in turn respond to

queries that are addressed specifically to them. A Modbus message sent from a Master to a Slave contains the

address of the Slave, the “command” function code, the data, and the checksum. A response Modbus message

from a Slave to the Master contains fields confirming the action taken, any data to be returned, and a checksum.

If an error occurs or the Slave is unable to perform the requested action, the Slave constructs an error message

and sends it as its response. See Appendix – Message Format Examples for examples of the different message

formats.

Scope and Intended Audience

This document describes the theory behind and the steps required, to configure an HSQ (25x86 or 6000) Remote

Terminal Unit (RTU) to function as a Modbus Master. The information in this User Note applies primarily to RTUs

with software v8 R01f or later. It may also pertain to versions 1_4, 1_5, and 1_6 but the full set of features might

not be available and there will be some variances from the procedures described here.

Some knowledge of Modbus system architecture and table addressing is assumed. The website:

www.modbus.org and particularly the document:

www.modbus.org/docs/Modbus_Application_Protocol_V1_1b.pdf provide in-depth information on the subject.

In order to effectively use this document, you must understand how your Modbus Slave devices work and how

they respond to commands. Please refer to the service manual for your particular devices.

NOTE: Most importantly, confirm that the remote device supports the Modbus protocol.

About this Document

Typically, most users will want to connect an HSQ RTU to one or more Modbus devices in order to perform

simple tasks. However, some users may want to perform more complex operations. In this User Note some

sections are marked, “This is recommended for Technically Advanced Users only.” Beginners or those wanting

only to perform simple operations can skip these sections.

For complete information on using RTU Diagnostics, refer to the RTU Diagnostics User Manual.

http://www.modbus.org/

http://www.modbus.org/docs/Modbus_Application_Protocol_V1_1b.pdf


]


PAGE: 4 of 38

How Data is Stored in Modbus

Information is stored in the Slave device in four different tables. Two tables store on/off discrete values (coils)

and two store numerical values (registers). The coils and registers each have a read-only table and read-write

table.

Each table has 9999 values. Each coil or contact is one bit and assigned a data address between 0000 and 270E

(hexadecimal). Each register is one word (16 bits or 2 bytes) and also has a data address between 0000 and 270E

in hexadecimal.

Table Name Type Data Addresses (hex) Coil/Register Numbers

Discrete Output Coils Read-Write 0000 to 270E 1-9999

Discrete Input Contacts Read-Only 0000 to 270E 10001-19999

Analog Input Registers Read-Only 0000 to 270E 30001-39999

Analog Output Holding Registers Read-Write 0000 to 270E 40001-49999

Coil/Register Numbers can be thought of as location names since they do not appear in the actual messages.

The Data Addresses are used in the messages.

For example, the first Holding Register, number 40001, has the Data Address 0000. Each table has a different

offset: 1, 10001, 30001, and 40001.


]


PAGE: 5 of 38

Supported Point Types, Registers, and Functions

The RTU Modbus Master software supports several point types and Modbus functions:

Modbus Point Types

RTU Analog Input (AI) — initializes read transmissions to the Modbus Slave (only read commands are

supported).

RTU Digital Input (DI) — initializes read transmissions to the Modbus Slave (only read commands are

supported).

RTU Analog Output (AO) — initializes read and write transmissions to the Modbus Slave.

RTU Device Point (DV) — initializes read and write transmissions to the Modbus Slave.

Modbus Registers

The Modbus standard specifies that a device can have tables made up of the following four types:

Discrete Inputs — Single bit, read-only

Coils — Single bit, read/write

Input Registers — 16-bit word, read-only

Holding Registers — 16-bit word, read/write

There are specific procedures for reading and writing values to and from these Modbus tables.

Read Function Codes

For each Modbus table type, a specific Modbus Read Function Code value is used; this is a built-in part of the

Modbus protocol. The function code used determines the Modbus table to be read. It is not required that you

specify a Read Function Code, in which case you can use the value zero (0). Refer to Reading Modbus Table

Values into Points for a description of how to implement these codes.

The table below shows the simplest and most basic approach to mapping Modbus table values into RTU points:

Read Function Code Modbus Table Name Typical RTU Point Type

0 — NONE

1 — Read Coil Status Discrete Output Coils DV

2 — Read Input Status Discrete Input Contacts DI

3 — Read Holding Registers Analog Output Holding Registers AO

4 — Read Input Registers Analog Input Registers AI


]


PAGE: 6 of 38

Write Function Codes

RTU Modbus software can write to Modbus Holding Registers and Modbus Coils. The most common

arrangement is to assign these to be written into point types. It is not required that you specify a Write Function

Code, in which case you can use the value zero. Refer to Writing Point Values to Modbus Table Entries for a

description of how to implement these codes.

The table below shows the simplest and most basic approach to mapping Modbus table values into RTU points:

Write Function Code Modbus Table Name Typical RTU Point Type

0 — NONE

5 — Force (Write) Single Coil Discrete Output Coil DV

6 — Preset (Write) Single Register Analog Output Holding Registers

AO

15 — Force (Write) Multiple Coils (Applicable only when the RTU is the Modbus Master)

Discrete Output Coils DV

16 — Preset (Write) Multiple Registers (Applicable only when the RTU is the Modbus Master)

Analog Output Holding Registers

AO

Modbus Data and Control Functions

The Modbus Master can address individual Slaves or can initiate a broadcast message to all the Slaves. Slaves

return a response to queries that are addressed to them individually. There are no responses for broadcast

queries. The query format contains the device (or broadcast) address, the function code, the data being sent,

and an error-checking field. The response message contains fields confirming the action taken, any data to be

returned, and an error-checking field. For specifics about the Modbus message format, refer to

Appendix – Message Format Examples.


]


PAGE: 7 of 38

Modbus Master Operations Using Ethernet

When communicating over Ethernet, the RTU can poll the individual Modbus Slaves by knowing their IP

addresses. You cannot connect two Modbus devices with the same IP address to the same RTU; the RTU will not

be able to address them properly. The IP address and the corresponding Modbus ID, which is also the MUX ID

for the MISER Host system, are defined using RTU Diagnostics via the RTU menu:

RTU… > RTU Hrdwr Cnfg… > Network… > Send RIO Config

Figure 1 — Modbus Ethernet communication topology

Most Modbus devices receive Ethernet messages with the transmission ID field set to 255 (as specified in the

Modbus standard); use a PLC TYPE value of 4 in the Point Map.

NOTE: Some non-standard Modbus devices need to receive Ethernet messages with the transmission ID field set

to 1, in this case use a PLC TYPE value of 14 in the Point Map. Other Ethernet Modbus devices need to have the

transmission ID field set to the actual device ID, in those cases use a PLC TYPE value of 24. Refer to the PLC Type

table in the PLC Table Field Entries section for details.


]


PAGE: 8 of 38

Modbus Master Operations Using Serial Lines

When communicating over serial lines, the RTU can poll the individual Modbus Slaves by knowing their Modbus

IDs. You cannot connect two Modbus devices with the same ID to the same RTU; the RTU will not be able to

address them properly. All serial Modbus devices must be connected to a serial port on the RTU configured for

the Modbus protocol. Only one serial port on an RTU can be configured to operate the Modbus Master protocol

at a time.

Figure 2 — Modbus serial line communication topology

To configure serial port 1 or 2 on the RTU, use the RTU Diagnostics menu entry found at:

RTU… > RTU Hrdwr Cnfg… > Send Config

To configure serial port 3 or 4 on the RTU, use the RTU Diagnostics menu entry found at:

RTU… > RTU Hrdwr Cnfg… > COM ports 3 & 4…

Most serial Modbus devices receive serial messages with the transmission ID field set to the Modbus device ID

(as specified in the Modbus standard); use a PLC TYPE value of 1 in the Point Map.

Simultaneous Operation Using Serial and Ethernet

The RTU Modbus software also allows for simultaneous operation of both serial and Ethernet Modbus

communications. For each Modbus device, the MUX ID must be unique on the Master RTU. (e.g., you cannot

have the MUX 1 ID assigned to both an Ethernet and serial Modbus device on the same RTU).


]


PAGE: 9 of 38

PLC Table Entries and Modbus Registers

Contiguous Registers into Contiguous Points

It is often expedient to read a number of contiguous PLC registers into a contiguous set of points.

Figure 3 — Reading contiguous PLC registers into contiguous points diagram

Figure 4 — Contiguous PLC registers and contiguous points, Point Map example

In the above examples, the Modbus Holding Registers 40100-40103 are read into AI points 10-13. The Point Map

line specifying AIs 10-13 and the single PLC Table entry specifying AIs 10-13, correspond to Modbus Holding

Registers starting at 40100. Below is a step-by-step setup for the example:

1. Set the PLC TYPE to 4, since this is an Ethernet PLC that expects the Transmission ID to be set to 255. Set

the BIT CHECK to 0.

2. Set the FIRST PT to 10 and the LAST PT to 13.

3. Set the PLC ID to 1 since this is the RIO ID of the PLC.

4. For FILE NUM, set READ FUNCTION to 3 since Read Holding Register is the desired Modbus function. Set

WRITE FUNCTION to 0 since the registers will not be written to (the purpose is to read into RTU AIs).

5. Set the REG NUM to 100 since the first Modbus register to read is 40100.

6. For TYPE MASK, set TYPE to 255 and MASK to 255.

See Creating a Modbus Point Map for details on all the entries.


]


PAGE: 10 of 38

Non-Contiguous Registers into Contiguous Points

Sometimes it is desirable to read a number of non-contiguous PLC registers into a contiguous set of points.

Figure 5 — Reading non-contiguous PLC registers into contiguous points diagram

Figure 6 — Non-contiguous PLC registers and contiguous points, Point Map example

In the above examples, the Modbus Holding Registers 40100-40101 are read into AI points 10-11 and Modbus

Holding Registers 40110-40111 into AI points 12-13. The Point Map line specifying AIs 10-13 and the two PLC

Table entries specifying AIs 10-11, correspond to Modbus Holding Registers starting at 40100 and AIs 12-13

correspond to Modbus Holding Registers starting at 40110.


]


PAGE: 11 of 38

Reading Modbus Table Values into Points

The RTU Modbus software can read four types of Modbus table entries. The most common arrangement is to

assign these to be read into RTU point types. Refer to the Read Function Codes table for details.

Generally, the data value read from any of these four Modbus types can be deposited into any DI, DV, AI, or AO

points. Whatever value is read from the Modbus tables is first converted to a 16-bit value. This 16-bit value is

then deposited into the specified point type. This approach allows for a high level of flexibility in processing

Modbus table values. This process is diagrammed below for the “Discrete Input” type, but can also apply to

“Coil”, “Input Register”, and “Holding Register” types.

Figure 7 — Modbus table values diagram

RTU Modbus logic allows a single Point Map entry to read multiple Modbus table values and deposit the results

into multiple points.

NOTE: RTU software prior to and including version R03b, was limited to a maximum of 15 points per Point Map

entry.

Modbus Handling of Read Errors

You can read an entire range of Modbus table entries into a corresponding range of RTU points using a single

PLC Table entry. There is a maximum of 125 16-bit registers available when this is done. This results in the RTU

sending a single read request that specifies a range of Modbus registers to be read as a single operation. If this

range of Modbus registers includes one or more Modbus register numbers that do not exist in the Modbus


]


PAGE: 12 of 38

device, then the entire read request will be rejected by the Modbus device (as specified in the Modbus protocol

standards).

If you are having trouble getting a Modbus read operation to work, verify that the range of Modbus registers is

complete and accurate. One simple way to check for this is to reduce the register range down to a single

register. If things start working, that suggests you might be attempting to read a non-existent Modbus register

from the device.

Error codes are explained in Exception Responses (Error Codes).

Using Modbus Read Function Code 1 and 2

Modbus Read Function Code 1 (Read Coil Status) and 2 (Read Input Status) are both used to read binary values

from the Modbus data tables. The resulting value deposited into a point will always be restricted to the values of

0 or 1. These Read Function Codes are most commonly used for DI and DV point values. The RTU Modbus code

logic allows these Read Function Codes to deposit values into any of the basic point types (DI, AI, DV, and AO).

Calculating the Resulting Value

The RTU Modbus logic will take the binary value read from the Modbus Slave device and deposit the result

(0 or 1) into the specified point.

Using Modbus Read Function Code 3 and 4

Modbus Read Function Code 3 (Read Holding Registers) and 4 (Read Input Registers) are both used to read 16-

bit analog values from the Modbus data tables. While these Read Function Codes are most commonly used for

AO and AI point values, the RTU Modbus code logic allows these Read Function Codes to deposit values into any

of the basic point types (DI, AI, DV, and AO). When you use Modbus Read Function Code 3 or 4, the value of the

TYPE and MASK fields should normally be 255. For exceptions to this rule, refer to the

32-Bit Modbus Value Processing section.

Calculating the Resulting Value for AI and AO Points

The RTU Modbus logic takes the 16-bit binary value read from the Modbus Slave device and directly deposits the

result into the specified point. RTU logic will always interpret analog points as being 16-bit signed values.

Therefore, if the Modbus device provides a 16-bit unsigned value, other portions of the RTU code (COS,

generation logic, VCL, control blocks, etc.) will need special logic to handle values greater than 32767.

Calculating the Resulting Value for DI and DV Points

The RTU Modbus logic sets the value for DI and DV points to 0 or 1 and uses the additional field known as bit-

check. The bit-check field is expected to have a value in the range of 0 to 15. The RTU Modbus logic will take the

16-bit binary value read from the Modbus Slave device and will retain only the bit specified by bit-check. The

resulting value of 0 or 1 will be directly deposited, as the result, into the specified point. Setting bit-check to a

value outside the range of 0 to 15 is meaningless and will produce undefined results.


]


PAGE: 13 of 38

Host COS Considerations

Older MISER host computers are incapable of handling RTU COS transmissions involving AO point types.

Furthermore, RTU software versions prior to R03d did not support AO COS processing at all and AO COS

processing logic was not very robust in RTU software versions prior to R03h. For this reason, operators of older

systems might want to avoid reading Modbus values into AO points.

RTU MASK Value

Using All Bits Read from the Modbus Device

The RTU MASK value is used to specify which of the bits read from the Modbus device should be used and which

should be ignored. Typically, you will want to use all the bits read from the Modbus device, in this case the RTU

MASK and TYPE values should be set to 255. If all the bits read from the Modbus Slave device are used and none

are ignored, the values are simply extracted and used for the logic. For example, a Point Map entry to read 16

points, starting from Modbus register 10, would then deposit the 16 values from registers 10 through 25 into the

points.

Using Only Some of the Bits Read from the Modbus Device

(This is recommended for Technically Advanced Users only.)

By specifying a TYPE and MASK value other than 255, it is possible to use only some of the bits read from the

Modbus device and ignore the rest. In this process, the TYPE and MASK fields are combined to form a single 16-

bit value (TYPE is the HI byte, MASK is the LO byte). Any bit position set to 1 in the resulting 16-bit value will

correspond to a Modbus bit to be used and any bit position set to 0 will be skipped. Since this is a 16-bit field,

the operations are always done in groupings of 16 bits.


]


PAGE: 14 of 38

Figure 8 — Selective bit reading diagram

In the above example, a Point Map entry reads the four DI points numbered 1-4, starting from Modbus register

10 using a TYPE value of 0 and a MASK value of 3. The two values from the Modbus Discrete Input registers 10

and 11 are deposited into DI points 1 and 2. The next 14 Modbus registers are skipped and then the two values

from the Modbus Discrete Input registers, 26 and 27, are deposited into the next two DI points, 3 and 4.

32-Bit Modbus Value Processing

The information below describes how to send 32-bit COS information from a PLC to the MISER Host.

NOTE: The RTU must have software version v8r03u or higher and the MISER Host must have the latest version of

CSPROC (update to v6.13). Also, the RTU or PLC must have 32-bit points.

32-Bit Modbus Integer COS Points


The RTU Modbus logic has a special provision for handling Modbus 16-bit register pairs as a unified value,

providing a 32-bit result. The resulting 32-bit value is then provided to the Host via an equivalent pair of 16-bit

points. To use this feature, you must comply with the following conditions:

The PLC point table entry must allow for two Modbus registers.

The Modbus Read Function Code 3 (Read Holding Register) or 4 (Read Input Register) must be used to

read the pair of Modbus registers.

The point type must be AI or AO. If the point type is AO, then there is the further requirement that the

WRITE FUNCTION field must be zero.

Each 32-bit must be comprised of two consecutive points.


]


PAGE: 15 of 38

The TYPE field must be set to 0 and the MASK field must be set to 4. This alerts the RTU that these

points need to be treated as a 32-bit integer value.

Figure 9 — 32-Bit Modbus integer point entry, Point Map example

If each of the above conditions is met, then the points are handled as 32-bit register pairs and the following

special processing rules apply:

The lower numbered Modbus register will normally contain the more significant 16 bits and the next

higher numbered Modbus register will contain the less significant 16 bits. (This is so the Host software

will know how to reassemble the two points into a single unified 32-bit value.)

Any COS tolerance specified in the point definitions will be disregarded for these points; instead, any

non-zero change on either of the points will trigger COS processing. This COS processing will generate a

pair of COS packets corresponding to the two points in the register pair. Both COS packets will have

identical time stamps.

If either of the two points involved in a register pair is disabled, then both are treated as being disabled

by the COS processing logic.


]


PAGE: 16 of 38

32-Bit Modbus Floating Point COS Points


This configuration sends 32-bit COS information from the Modbus device to the MISER Host. To use this feature,

you must comply with the following conditions:

The PLC point table entry must allow for two Modbus registers.

The Modbus Read Function Code 3 (Read Holding Registers) or 4 (Read Input Register) must be used to

read the pair of Modbus registers.

The point type must be AI or AO. If the point type is AO, then there is the further requirement that the

WRITE FUNCTION field must be 0.

Each 32-bit register must be comprised of two consecutive points.

The TYPE field must be set to 0 and the MASK field must be set to 5. This alerts the RTU that these

points need to be treated as a 32-bit floating point value.

Figure 10 — 32-Bit Modbus floating point entry, Point Map example

If each of the above conditions is met, then the points are handled as 32-bit register pairs and the following

special processing rules apply:

The lower numbered Modbus register will normally contain the most significant 16 bits and the next

higher numbered Modbus register will contain the less significant 16 bits. (This is so the Host software

will know how to reassemble the two points into a single unified 32-bit value.)

Any COS tolerance specified in the point definitions will be disregarded for these points; instead, any

non-zero change on either of the points will trigger COS processing. This COS processing will generate a

pair of COS packets corresponding to the two points in the register pair. Both COS packets will have

identical time stamps.

If either of the two points involved in a register pair is disabled, then both are treated as being disabled

by the COS processing logic.

Refer to the 32-Bit Floating Point COS to Host User Note for more information.


]


PAGE: 17 of 38

Writing Point Values to Modbus Table Entries

The basic association of point values to the Modbus table entries being written is done in the same way as in the

sections, Contiguous Registers into Contiguous Points and Non-Contiguous Registers into Contiguous Points. To

write the values to the Modbus table entries you need to specify the appropriate values for the WRITE

FUNCTION field.

Figure 11 — Writing points into Modbus table entries diagram

Figure 12 — Writing points into Modbus table entries, Point Map example

For each Modbus table type, a set of specific Modbus Write Function Code values must be used. This is a built-in

part of the Modbus protocol and the function code used determines the Modbus table to be written. Refer to

the Write Function Codes table for details. Also, see Creating a Modbus Point Map for details on all the entries.

Generally, the data value from the point types DV and AO can be deposited into Modbus Coils or Holding

Registers. Whatever value is obtained from the points is first converted to a 16-bit value.


]


PAGE: 18 of 38

Figure 13 — Writing points into Modbus table entries diagram

This 16-bit value is then deposited into the specified Modbus table entry. This approach allows for a high level of

flexibility in processing Modbus table values. The process diagrammed shows a DV type, but it can also apply to

an AO type.

Using Modbus Write Function Code 5 and 15

Modbus Write Function Code 5 (Write Single Coil) and 15 (Write Multiple Coils) are both used to write binary

values to Modbus Coils. While these Write Function Codes are most commonly used for DV point values, the

RTU Modbus code logic allows these Write Function Codes to deposit values from any of the basic point types

(DV and AO). The value of the TYPE and MASK fields should normally be 255. When using the point type DV, the

value is simply deposited into the specified Modbus Coil. When using an AO point type, then the specified

Modbus Coil is set as follows:

The specified Modbus Coil is set to 0 if the AO point value was zero.

The specified Modbus Coil is set to 1 if the AO point value was non-zero.

Single and Multiple Modbus Commands

The Modbus protocol allows Coils to be written with either the Write Single Coil (Function Code 5) or the Write

Multiple Coils (Function Code 15) command. It also allows Modbus Holding Registers to be written with either

the Write Single Register (Function Code 6) or the Write Multiple Registers (Function Code 16) command. The

RTU Modbus Master logic supports both types of command codes.

Some Modbus devices support only Single… commands or only Multiple… commands. In these cases, you should

use the write command codes supported by your device. In cases where the Modbus device supports both

Single… and Multiple… commands, you can use either one. There is no noticeable gain in efficiency resulting

from using one or the other.

Using Modbus Write Function Code 6 and 16

Modbus Write Function Code 6 (Write Single Register) and 16 (Write Multiple Registers) are both used to write

16-bit analog values to the Modbus Holding Registers. While these Write Function Codes are most commonly


]


PAGE: 19 of 38

used for AO point values, the RTU Modbus code logic allows these Write Function Codes to deposit values from

any of the basic point types (DV and AO). When using an AO point type, the value of the TYPE and MASK fields

should normally be 255.

Using Modbus Write Function Code 6 and 16 with DV Points


When using the DV point type the values specified in the READ FUNCTION, TYPE, and MASK fields are used as follows:

If READ FUNCTION is set to zero:

o When the DV is ON, the value of the Holding Register is set to the result of: (BIT CHECK × 256) + TYPE.

o When the DV is OFF, the value of the Holding Register is set to the value in MASK.

If READ FUNCTION is set to a non-zero value:

o When the DV is ON, the value of the Holding Register is set to the value in TYPE.

o When the DV is OFF, the value of the Holding Register is set to the value in MASK.

NOTE: BIT CHECK, TYPE, and MASK are 8-bit fields.

Using Modbus Command 22


Modbus Write Function Code 22 (Mask Write Register) can be used if you want to set a single bit within a

Modbus Holding Register to 1 whenever the DV is on and to set that same single bit to 0 when the DV is off. In

each of these cases, only one bit within the 16-bit Modbus Holding Register is operated on, the other 15 bits are

left unchanged.

The Modbus device must support Modbus command 22; not all Modbus devices support this feature. Check the

documentation for your device.

Figure 14 — Configuring Modbus Command 22, Point Map example

To use Mask Register Write operations, set the PLC table entries as follows:

Set READ FUNCTION to 0.

Set WRITE FUNCTION to 22.

Set the STR field to 0.

Set the STP field to the value corresponding to the bit to be operated, this should be in the range of 0 to

15.


]


PAGE: 20 of 38

Creating a Modbus Point Map

The PLC table is configured using the RTU Diagnostics utility.

NOTE: For detailed information on creating Point Maps, refer to the RTU Diagnostics User Manual, Building an

RTU Point Map.

Each Modbus table defines consecutive Modbus registers that correspond to RTU points. If there is a break in

the Modbus registers definition, a new PLC table entry is required.

NOTE: The range of points, first-to-last, must be within the range of the board definition (in the Point Map).

Each point number in the table represents one register number in the Modbus Slave device.

How the RTU addresses registers in the Modbus Slave is not the same as points identified in the MISER Host

database. For example, the MISER database point number 96 could be assigned to the Modbus Holding Register

40000 (where the first 95 AO points are already configured in the Point Map).

Creating a PLC Board Type

1. From the Command Menu, select RTU… > RTU Hardwr Cnfg… > Point Map….

If you already have a Point Map file, select Load Point Map from File and enter the file name without the

extension. Otherwise, select Load Default Point Map.

2. To easily add the next consecutive PLC, find the largest LAST PT number from all of the PLC entries.

3. Move the cursor to that line and press <Insert> to create the next line with the same PT TYPE (point

type). The FIRST PT of the new line will be one more than LAST PT of the previous line. The number of

points will be the same.

4. Press <Return> to edit the new line.

5. In the Edit window, change PT TYPE to the desired point type (DI, AI, DV, or AO).

6. Change BD TYPE (board type) to PLC.

7. Move the cursor to PLC TABL and press <Return>. This creates a blank PLC Table Field.

8. Pressing <Insert> fills in default values. Press <Return> to edit these values.


]


PAGE: 21 of 38

Figure 15 — Sample PLC Table entry

PLC Table Field Entries

Each of the data prompts used in the Modbus PLC Table entry is described below.

PLC TYPE — use the following values:

PLC Board Type Number Description

Serial Modbus Master 1 Serial Modbus

Ethernet Modbus Master ID 255 (typical) 4 Ethernet Modbus using Modbus ID 255

Ethernet Modbus Master ID 1 14 Ethernet Modbus using Modbus ID 1

Ethernet Modbus Master 24 Ethernet Modbus using the actual device ID

The PLC TYPE is dependent on the Modbus Slave device; refer to the manufacturer’s documentation.

BIT CHECK — this field appears after you enter a PLC TYPE for a Modbus device. Normally this field

should be set to zero, unless all of the following conditions are true:

o The PLC table entry specifies a FILE NUM of 3 (Read Holding Registers) or 4 (Read Input Register).

o The Point Map entry is for a DI or DV type point.

o You wish to read only a specific bit.

If all of the conditions are true, then the BIT CHECK field specifies which of the 16 bits read from the

Modbus device determine the point value. The value of the BIT CHECK field should be in the range of 0-

15. BIT CHECK field values outside this range are meaningless.


]


PAGE: 22 of 38

NOTE: Sometimes the displayed PLC TYPE field will be an unexpected number. In fact, this 16-bit field is used to

hold two 8-bit subfields: PLC TYPE and BIT CHECK. Specifically, the value displayed is determined by the formula:

[actual PLC TYPE] + (256 × [BIT CHECK]) = PLC TYPE.

1st PT — specifies the first point in a range of points that are governed by the PLC table entry. This value

must be within the range specified by the corresponding Point Map entry.

LAST PT — specifies the last point in a range of points that are governed by the PLC table entry. In cases

where a PLC table entry only governs a single point, you should set this to the same value as the 1st PT

field. This value must be within the range specified by the corresponding Point Map entry.

PLC ID — specifies the MUX ID used to identify this Modbus device to the RTU and the MISER Host

system. For Modbus Serial Master operation, this is also the same as the Modbus device ID as set in the

Modbus device’s configuration. For Modbus Ethernet Master operation, this must be the same as the

RIO ID.

FILE NUM — this field prompts you to enter values for two functions:

o READ FUNCTION — specifies the Modbus Read Function Code value used in Modbus poll operations

and determines the Modbus table type to be read. See Reading Modbus Table Values into Points for

more details. If there is no need to read this register (e.g., if the register will only be written and

never read) it is acceptable to use the value zero. Refer to Read Function Codes for more

information.

o WRITE FUNCTION — specifies the Modbus Write Function Code value used in Modbus operations

and it determines the Modbus table type to be written. See Writing Point Values to Modbus Table

Entries for more details. If there is no need to write to this register (e.g., if the register will only be

read and never written to) it is acceptable to use the value zero. Refer to Write Function Codes for

more information.

NOTE: Sometimes the displayed FILE NUM field will be an unexpected number. In fact, this 16-bit field is used to

hold two 8-bit subfields: READ FUNCTION and WRITE FUNCTION. Specifically, the value displayed is determined

by the formula: [READ FUNCTION] + (256 × [WRITE FUNCTION]) = FILE NUM.

REG NUM — specifies the Modbus register number to operate on. The starting register number is

defined in the Modbus Slave device. The REG NUM is used in conjunction with FILE NUM to specify the

actual memory address. For example, to read the first input register (30000) the FILE NUM Read

Function needs to be set to 4 and the REG NUM set to 0.

NOTE: RTU points start at one, but Modbus table entries start at zero. It is perfectly acceptable to specify a PLC

Table entry REG NUM value of zero.

TYPE and MASK — these fields are used for storage of values specific to certain operations. Except in

very special cases, these fields should be set to 255 (read all bits). In the case of DV points, these fields

are displayed as STR and STP respectively.


]


PAGE: 23 of 38

o When using Modbus Read Function Code 1 (Read Coil Status) or 2 (Read Discrete Inputs), the TYPE

and MASK field are used to specify which of the 16 bits read from the Modbus device are to be used

and which are to be discarded. The TYPE field is the HI byte and the MASK field is the LO byte in this

process. See Using Modbus Read Function Code 1 and 2 for more information.

o When processing Modbus register pairs as 32-bit values, the TYPE filed must be 0 and the MASK field

must be 4. See 32-Bit Modbus Value Processing for more details.

o When using DV points to set the values of Modbus Holding Registers, the STR and STP fields form a

part of the resulting value deposited into the holding register. See Using Modbus Write Function

Code 6 and 16 with DV Points for more details.

o When using Modbus command 22 (Mask Write Register) the MASK field specifies the bit to be

operated upon. See Using Modbus Command 22 for more details.

Example of an AI with Read Function Code 4

This example illustrates using Read Function Code 4 (Read Input Registers in Modbus) and returning 16-bit

results. The value that is read from the Modbus Slave will be written to an AI if the present value is not equal to

the value from the Modbus Slave. After performing the steps in Creating a PLC Board Type, fill in the PLC TABL

entries.

Figure 16 — AI Point, Read Function Code 4 example

In the example above:

PLC TYPE (4)

o PLC TYPE — the first subfield is 4 to indicate the type of Modbus Slave.

o BIT CHECK — the second subfield is 0 because the point type is AI.

1st PT — 158 is the lowest numbered point in the Point Map.

LAST PT — 171 is the highest numbered point in the Point Map.

PLC ID — 66 is the Remote Input/Output identification used by the RTU and MISER Host.


]


PAGE: 24 of 38

FILE NUM (4)

o READ FUNCTION — the first subfield is 4 to indicate this PLC reads input registers.

o WRITE FUNCTION — the second subfield is 0 to indicate this AI point does not have write ability.

REG NUM — this is set to 151 to indicate the starting Modbus register (30151).

TYPE and MASK — these fields are typically set to 255 unless you are a very experienced user and need

to configure a 32-bit PLC (see 32-Bit Modbus Value Processing for more information).

Example of a DI with Read Function Code 2

This example illustrates using Read Function Code 2 (Read Input Status) to read five specific bits of the 16-bit

PLC. After performing the steps in Creating a PLC Board Type, fill in the PLC TABL entries.

Figure 17 — DI Point, Read Function Code 2, Bits 5-9 example


PLC TYPE (1294)


o BIT CHECK — the second subfield is 5 to indicate the individual bit to be read.

PLC TYPE (1550)



PLC TYPE (1806)




]


PAGE: 25 of 38

PLC TYPE (2062)



PLC TYPE (2318)



1st PT — 125, 126, 127, 128, and 129 are the points in the Point Map associated with the individual bits

(5, 6, 7, 8, and 9 respectively) of the Modbus register.

LAST PT — these are the same since the intent is to read specific bits.


FILE NUM (2)

o READ FUNCTION — the first subfield is 2 to indicate this PLC reads input status.

o WRITE FUNCTION — the second subfield is 0 to indicate this DI point does not have write ability.

REG NUM — this is set to 61 to indicate the Modbus register (10061).

TYPE and MASK— these are set to 255 to indicate all the bits read from the Modbus Slave device are

used, as is typical.

Example of an AO with Read Function Code 3 and Write Function Code 16

This example illustrates using Read Function Code 3 (Read Holding Register) and Write Function Code 16 (Write

Single Coil). This reads values from analog points and writes values to the same points depending on the point

logic. After performing the steps in Creating a PLC Board Type, fill in the PLC TABL entries.

Figure 18 — AO Point, Read Function Code 3 and Write Function Code 16 example


]


PAGE: 26 of 38


PLC TYPE (1)


o BIT CHECK — the second subfield is 0 in order to read and write all 16-bits of the PLC.

1st PT — 96 is the first numbered point in the Point Map being read and written to.

LAST PT — 112 is the last numbered point in the Point Map being read and written to.


FILE NUM (4099)

o READ FUNCTION — the first subfield is set to 3 to indicate this PLC reads holding registers.

o WRITE FUNCTION — the second subfield is set to 16 to indicate this PLC presets multiple registers.

REG NUM — this is set to 44 to indicate the starting Modbus register.

TYPE and MASK — these are set to 255, as is typical.

Example of a DV with Write Function Code 6

This example illustrates using Write Function Code 6 (Preset Single Register). This sets a Modbus register to 1

when the DV is ON and the same register to 0 when the DV is OFF. After performing the steps in Creating a PLC

Board Type, fill in the PLC TABL entries.

Figure 19 — DV Point, Write Function Code 6 example


PLC TYPE (4)


o BIT CHECK — the second subfield is 0 to specify all the bits of the Modbus register.

1st PT — 101 is the numbered point in the Point Map being written to.


]


PAGE: 27 of 38

LAST PT — this is the same point since the intent is to preset a single register.


FILE NUM (1536)

o READ FUNCTION — the first subfield is set to 0 to indicate this DV point does not have read ability.

o WRITE FUNCTION — the second subfield is set to 6 to indicate this PLC writes to a single register.

REG NUM — this is set to 1 to indicate the starting register.

STR and STP — 1 is the “VALUE FOR START” and 0 is the “VALUE FOR STOP”.


]


PAGE: 28 of 38

Appendix – Message Format Examples

The examples below show the format of query and response messages between the RTU and the Modbus

device.

Read Coil Status

Function Code 1 reads the ON/OFF status of discrete coils in the Slave. Broadcast is not supported. The

maximum parameters can vary dependent on the Modbus Slave. The query message specifies the starting coil

and quantity of coils to be read. Coils are addressed starting at zero (i.e., coils 1-16 are addressed as 0-15).

Here is an example requesting the ON/OFF status of discrete coils #20 to 56 from the Slave device with address

17 (11 01 0013 0025 0E84):

Field Name Example

Slave Address 11 (17 = 11 hex)

Function Code 01 (Read Coil Status)

Data Address of First Coil 0013 (Coil 20 − 1 = 19 = 13 hex)

Total Number of Coils 0025 (Coils 20-56 = 37 = 25 hex)

Error Check (CRC) 0E84

Here is an example of the response (11 01 05 CD6BB20E1B 45E6):

Field Name Example



Number of Data Bytes 05 (37 Coils ÷ 8 bits per byte = 5 bytes)

Coils 27-20 (1100 1101) Coils 35-28 (0110 1011) Coils 43-36 (1011 0010) Coils 51-44 (0000 1110) Coils 56-52 (0001 1011)

CD 6B B2 0E 1B (includes three space holders)

Error Check (CRC) 45E6

The more significant bits contain the higher coil variables. This shows that coil 36 is off (0) and 43 is on (1). Due

to the number of coils requested, the last data field contains the status of only five coils.


]


PAGE: 29 of 38

Read Input Status

Function Code 2 reads the ON/OFF status of discrete inputs in the Slave. Broadcast is not supported. The

maximum parameters can vary dependent on the Modbus Slave. The query message specifies the starting input

and quantity of inputs to be read. Inputs are addressed starting at zero (i.e., coils 1-16 are addressed as 0-15).

Here is an example of requesting the ON/OFF status of discrete inputs #10197 to 10218 from the Slave device

with address 17 (11 02 00C4 0016 BAA9):

Field Name Example


Function Code 02 (Read Input Status)

Data Address of First Input 00C4 (10197 – 10001 = 196 = C4 hex)

Total Number of Inputs 0016 (197-218 = 22 = 16 hex)

Error Check (CRC) BAA9

Here is an example of the response (11 02 03 ACDB35 2018):

Field Name Example


Function Code 02 (Read Input Status)

Number of Data Bytes 03 (22 Inputs ÷ 8 bits per byte = 3 bytes)

Discrete Inputs 10204-10197 (1010 1100) Discrete Inputs 10212-10205 (1101 1011) Discrete Inputs 10218-10213 (0011 0101)

AC DB 35 (includes two space holders)

Error Check (CRC) 2018

The more significant bits contain the higher discrete inputs. This shows that input 10197 is off (0) and 10204 is

on (1). Due to the number of inputs requested, the last data field contains the status of only six inputs.


]


PAGE: 30 of 38

Read Holding Registers

Function Code 3 reads the contents of holding registers in the Slave. Broadcast is not supported. The maximum

parameters can vary dependent on the Modbus Slave. The query message specifies the starting register and

quantity of registers to be read. Registers are addressed starting at zero (i.e., coils 1-16 are addressed as 0-15).

Here is an example of requesting the content of analog output holding registers #40108 to 40110 from the Slave

device with address 17 (11 03 006B 0003 7687):

Field Name Example


Function Code 03 (Read Analog Output Holding Registers)

Data Address of First Register 006B (40108 − 40001 = 107 = 6B hex)

Total Number of Registers 0003 (3 Registers 40108-40110)


Here is an example of the response (11 03 06 AE41 5652 4340 49AD):

Field Name Example


Function Code 03 (Read Analog Output Holding Registers)

Number of Data Bytes 06 (3 Registers × 2 bytes each = 6 bytes)

Contents of Register 40108 AE41

Contents of Register 40109 5652

Contents of Registers 40110 4340

Error Check (CRC) 49AD


]


PAGE: 31 of 38

Read Input Registers

Function Code 4 reads the contents of analog input registers in the Slave. Broadcast is not supported. The

maximum parameters can vary dependent on the Modbus Slave. The query message specifies the starting

register and quantity of registers to be read. Registers are addressed starting at zero (i.e., coils 1-16 are

addressed as 0-15).

Here is an example of requesting the content of analog input register #30009 from the Slave device with address

17 (11 04 0008 0001 B298):

Field Name Example


Function Code 04 (Read Analog Input Registers)

Data Address of First Register 0008 (30009 – 30001 = 8)

Total Number of Registers 0001 (1 Register)

Error Check (CRC) B298

Here is an example of the response (11 04 02 000A F8F4):

Field Name Example


Function Code 04 (Read Analog Input Registers)

Number of Data Bytes 02 (1 Register × 2 bytes each = 2 bytes)

Contents of Register 30009 000A

Error Check (CRC) F8F4


]


PAGE: 32 of 38

Force Single Coil

Function Code 5 forces a single coil to either ON or OFF. When broadcast, the function forces the same coil

references in all attached Slaves. The maximum parameters can vary dependent on the Modbus Slave. The

function will override the controller’s memory protect state and the coil’s disable state. The forced state

remains in effect until the controller’s logic overrides any manual commands. Registers not involved in the

controller logic will keep the manually set values indefinitely. Coils are addressed starting at zero (i.e., coil 1 is

addressed as 0).

The normal response is an echo of the query, returned after the coil has been written. Here is an example of

writing the contents of discrete coil #173 to ON in the Slave device with address 17

(11 05 00AC FF00 4E8B):

Field Name Example


Function Code 05 (Force Single Coil)

Data Address of the Coil 00AC (Coil #173 – 1 = 172 = AC hex)

Status to Write FF00 (FF00 = ON, 0000 = OFF)

Error Check (CRC) 4E8B

The normal response is an echo of the query, returned after the coil state has been forced. Here is an example

of the response (11 05 00AC FF00 4E8B):

Field Name Example


Function Code 05 (Force Single Coil)

Data Address of the Coil 00AC (Coil #173 – 1 = 172 = AC hex)

Status Written FF00

Error Check (CRC) 4E8B


]


PAGE: 33 of 38

Preset Single Register

Function Code 6 presets a value into a single holding register. When the code is broadcast, the function presets

the same register reference in all attached Slaves. The maximum parameters can vary dependent on the

Modbus Slave. The function will override the controller’s memory protect state and the coil’s disable state. The

forced state remains in effect until the controller’s logic overrides any manual commands. Registers not involved

in the controller logic will keep the manually set values indefinitely. The query message specifies the register

reference to be preset. Registers are addressed starting at zero (i.e., register 1 is addressed as 0).

Here is an example of writing the contents of analog output holding register #40002 to the Slave device with

address 17 (11 06 0001 0003 9A9B):

Field Name Example


Function Code 06 (Preset Single Register)

Data Address of the Register 0001 (#40002 – 40001 = 1)

Value to Write 0003

Error Check (CRC) 9A9B

The normal response is an echo of the query, returned after the register contents have been written. Here is an

example of the response (11 06 0001 0003 9A9B):

Field Name Example


Function Code 06 (Preset Single Register)

Data Address of the Register 0001 (#40002 – 40001 = 1)

Value Written 0003

Error Check (CRC) 9A9B


]


PAGE: 34 of 38

Force Multiple Coils

Function Code 15 forces each coil in a sequence of coils to either ON or OFF. When broadcast, the function

forces the same coil reference in all attached Slaves. The maximum parameters can vary dependent on the

Modbus Slave. The function will override the controller’s memory protect state and the coil’s disable state. The

forced state remains in effect until the controller’s logic overrides any manual commands. Registers not involved

in the controller logic will keep the manually set values indefinitely. The query message specifies the coil

references to be forced. Coils are addressed starting at zero (i.e., coil 1 is addressed as 0). The requested

ON/OFF states are specified by contents of the query data field. A logical 1 in bit position of the field requests

the corresponding coils to be ON. A logical 0 requests it to be OFF.

Here is an example of writing the contents of a series of ten discrete coils #20 to 29 to the Slave device with

address 17 (11 0F 0013 000A 02 CD01 BF0B):

Field Name Example


Function Code 0F (Force Multiple Coils, 15 = 0F hex)

Data Address of First Coil 0013 (#20 – 1 = 19 = 13 hex)

Number of Coils 000A (10 = 0A hex)

Number of Data Bytes 02 (10 Coils ÷ 8 bits = 2 bytes)

Coils 27-20 (1100 1101) Coils 29-28 (0000 0001)

CD 01 (includes 6 space holders)

Error Check (CRC) BF0B

Here is an example of the response (11 0F 0013 000A 2699):

Field Name Example


Function Code 0F (Force Multiple Coils, 15 = 0F hex)

Data Address of First Coil 0013 (#20 – 1 = 19 = 13 hex)

Coils Written 000A (10 = 0A hex)


The more significant bits contain the higher coil variables. This shows that coil 20 is ON (1) and 21 is OFF (0). Due

to the number of coils requested, the last data field contains the status of only two coils. The unused bits in the

last data byte are filled in with zeroes.


]


PAGE: 35 of 38

Preset Multiple Registers

Function Code 16 presets values into a sequence of holding registers. When the code is broadcast, this function

presets the same register reference in all attached Slaves. The maximum parameters can vary dependent on the

Modbus Slave. The function will override the controller’s memory protect. The forced state remains in effect

until the controller’s logic overrides any manual commands. Registers not involved in the controller logic will

keep the manually set values indefinitely. The query message specifies the register references to be preset.

Registers are addressed starting at zero (i.e., register 1 is addressed as 0).

Here is an example of writing the contents of two analog output holding registers #40002 and 40003 to Slave

device with address 17 (11 10 0001 0002 04 000A 0102 C6F0):

Field Name Example


Function Code 10 (Preset Multiple Registers, 16 = 10 hex)

Data Address of First Register 0001 (#40002 – 40001 = 1)

Number of Registers 0002

Number of Data Bytes to Follow 04 (2 Registers × 2 Bytes each = 4 Bytes)

Value to Write to Register 40002 000A

Value to Write to Register 40003 0102

Error Check (CRC) C6F0

Here is an example of the response (11 10 0001 0002 1298):

Field Name Example


Function Code 10 (Preset Multiple Registers, 16 = 10 hex)

Data Address of First Register 0001 (#40002 – 40001 = 1)

Number of Registers Written 0002



]


PAGE: 36 of 38

Exception Responses (Error Codes)

Except for broadcast messages, when a Master device sends a query to a Slave device it expects a normal

response. One of the four possible events that can occur from a query by the Master:

If the Slave device receives the query without a communication error and can handle the query

normally, it returns a normal response.

If the Slave does not receive the query due to a communication error, no response is returned. The

Master will eventually process a timeout condition for the query.

If the Slave receives the query, but detects a communication error (parity, LRC, or CRC), no response is

returned. The Master will eventually process a timeout condition for the query.

If the Slave receives the query without a communication error but cannot handle it (e.g., if the request is

to read a nonexistent coil or register), the Slave will return an exception response informing the Master

of the nature of the error. The exception response message has two fields that differentiate it from a

normal response:

o Function Code Field — the most significant bit (MSB) is set to 1 alerting the Master to examine the

data field for the exception code.

o Data Field — contains the exception code that defines the condition that caused the error.

In a normal response the Slave echoes the function code. To denote an exception response, the function code is

shown in the echo with its MSB set to 1. All normal function codes have 0 for their MSB. Therefore, setting this

bit to 1 is the signal that the Slave cannot process the request.

Function Code in Request Function Code in Exception Response

01 (01 hex) 0000 0001 129 (81 hex) 1000 0001

02 (02 hex) 0000 0010 130 (82 hex) 1000 0010

03 (03 hex) 0000 0011 131 (83 hex) 1000 0011

04 (04 hex) 0000 0100 132 (84 hex) 1000 0100

05 (05 hex) 0000 0101 133 (85 hex) 1000 0101

06 (06 hex) 0000 0110 134 (86 hex) 1000 0110

15 (0F hex) 0000 1111 143 (8F hex) 1000 1111

16 (10 hex) 0000 0000 144 (90 hex) 1000 0000


]


PAGE: 37 of 38

Here is an example of a request for the ON/OFF status of discrete coil #1186 from the Slave device with address

10 (0A 01 04A1 0001 AC63):

Contents Example

Slave Address 0A (10 = 0A hex)


Data Address of First Coil 04A1 (#1186 – 1 = 1185 = 04A1 hex)

Number of Coils 0001

CRC AC63

Here is an example of the Slave exception response (0A 81 02 B053):

Contents Example

Slave Address 0A (10 = 0A hex)

Function Code 81 (Read Coil Status – with the MSB set to 1)

Exception Code 02 (#1186 is an illegal address)

CRC B053

Supported Error Codes

Following the Function Code is the Exception Code. The exception code gives an indication of the nature of the

problem. The possible codes are shown below:

Error Code Name Meaning

01 Illegal Function

The function code received in the query is not an allowable action for the slave. This may be because the function code is only applicable to newer devices, and was not implemented in the unit selected. It could also indicate that the slave is in the wrong state to process a request of this type (e.g., because it is not configured and is being asked to return register values). If a Poll Program Complete command was issued, this code indicates that no program function preceded it.

02 Illegal Data Address

The data address received in the query is not an allowable address for the slave. More specifically, the combination of reference number and transfer length is invalid. For example, a controller with 100 registers and a request with offset 96 and length 4 will succeed, a request with offset 96 and length 5 will generate error code 02.


]


PAGE: 38 of 38

03 Illegal Data Value

A value contained in the query data field is not an allowable value for the slave. This indicates a fault in the structure of remainder of a complex request, such as the implied length is incorrect. It specifically does NOT mean that a data item submitted for storage in a register has a value outside the expectation of the application program, since the Modbus protocol is unaware of the significance of any particular value of any particular register.

Documents

Configuring an RTU as a Modbus Master · to 1, in this case use a PLC TYPE value of 14 in the Point Map. Other Ethernet Modbus devices need to have the transmission ID field set to