CPB Modbus TCP Technical Manual

Function code descriptions

FC 3 (03h) Read Input Registers / FC 4 (04h) Read Holding Registers

With this function code, one 16-bit value or multiple 16-bit values can be read. This function can be applied to NanoJ objects (see NanoJ objects) or process data objects (min. 4-byte alignment, see Process data objects (PDO)).

Request
Name Length Value
Transaction Identifier 2 bytes 0000h
Protocol Identifier 2 bytes 0000h
Length 2 bytes 0006h
Unit Identifier 1 byte 00h
Function code 1 byte 03h / 04h
Start address 2 bytes 0000h to FFFFh
Number of registers 2 bytes 1 to (7Dh)
Response ("M" corresponds to the number of registers to be read)
Name Length Value
Transaction Identifier 2 bytes 0000h
Protocol Identifier 2 bytes 0000h
Length 2 bytes 0003h + 2*M
Unit Identifier 1 byte 00h
Function code 1 byte 03h / 04h
Number of bytes 1 byte 2 * M
Register value 2 bytes
Error
Name Length Value
Transaction Identifier 2 bytes 0000h
Protocol Identifier 2 bytes 0000h
Length 2 bytes 0003h
Unit Identifier 1 byte 00h
Error code 1 byte 83h / 84h
Exception code (see Exception codes) 1 byte 01, 02, 03 or 04

Example

Below is an example of a read request and response of register 5000 (1388h) and of the following register (2 registers):

Request
Response

FC 6 (06h) Write Single Register

This function code can be used to write a single 16-bit value. The function can be used on process data objects (see Process data objects (PDO)).

Request
Name Length Value
Transaction Identifier 2 bytes 0000h
Protocol Identifier 2 bytes 0000h
Length 2 bytes 0006h
Unit Identifier 1 byte 00h
Function code 1 byte 06h
Register address 2 bytes 0000h to FFFFh
Register value 2 bytes 0000h to FFFFh
Response
Name Length Value
Transaction Identifier 2 bytes 0000h
Protocol Identifier 2 bytes 0000h
Length 2 bytes 0006h
Unit Identifier 1 byte 00h
Function code 1 byte 06h
Register address 2 bytes 0000h to FFFFh
Register value 2 bytes 0000h to FFFFh
Error
Name Length Value
Transaction Identifier 2 bytes 0000h
Protocol Identifier 2 bytes 0000h
Length 2 bytes 0003h
Unit Identifier 1 byte 00h
Error code 1 byte 86h
Exception code (see Exception codes) 1 byte 01, 02, 03 or 04

Example

Below is an example of a write request and response in register 6000 (1770h) with the value "0001h":

Request
Response

FC 16 (10h) Write Multiple Registers

With this function code, one 16-bit value or multiple 16-bit values can be written. The function can be applied to NanoJ objects (see Process data objects (PDO)) or process data objects (see NanoJ objects).

Request ("N" is the number of registers to be written)
Name Length Value
Transaction Identifier 2 bytes 0000h
Protocol Identifier 2 bytes 0000h
Length 2 bytes 0007h + N * 2
Unit Identifier 1 byte 00h
Function code 1 byte 10h
Start address 2 bytes 0000h to FFFFh
Number of registers 2 bytes 0001h to 007Bh
Number of bytes 1 byte 2 * N
Register value N * 2 bytes
Response
Name Length Value
Transaction Identifier 2 bytes 0000h
Protocol Identifier 2 bytes 0000h
Length 2 bytes 0006h
Unit Identifier 1 byte 00h
Function code 1 byte 10h
Start address 2 bytes 0000h to FFFFh
Number of registers 2 bytes 0001h to 007Bh
Error
Name Length Value
Transaction Identifier 2 bytes 0000h
Protocol Identifier 2 bytes 0000h
Length 2 bytes 0003h
Unit Identifier 1 byte 00h
Error code 1 byte 90h
Exception code (see Exception codes) 1 byte 01, 02, 03 or 04

Example

Below is an example for writing values "0102h" and "0304h" starting with register address 6000 (1770h), number of registers is 2, length of the data is 4:

Request
Response

FC 23 (17h) Read/Write Multiple registers

With this function code, one 16-bit value or multiple 16-bit values can be simultaneously read and written. The function can be applied to NanoJ objects (see Process data objects (PDO)) or process data objects (see NanoJ objects).

Request ("N" is the number of registers to be read):
Name Length Value
Transaction Identifier 2 bytes 0000h
Protocol Identifier 2 bytes 0000h
Length 2 bytes 000Bh + 2 * N
Unit Identifier 1 byte 00h
Function code 1 byte 17h
Read: Start address 2 bytes 0000h to FFFFh
Read: Number of registers 2 bytes 0001h to 0079h
Write: Start address 2 bytes 0000h to FFFFh
Write: Number of registers 2 bytes 0001h to 0079h
Write: Number of bytes 1 byte 2 * N
Write: Register value N * 2 bytes
Response ("M" corresponds to the number of bytes to be written):
Name Length Value
Transaction Identifier 2 bytes 0000h
Protocol Identifier 2 bytes 0000h
Length 2 bytes 0003h + 2 * M
Unit Identifier 1 byte 00h
Function code 1 byte 17h
Number of bytes 1 byte 2 * M
Registers read M * 2 bytes
Error
Name Length Value
Transaction Identifier 2 bytes 0000h
Protocol Identifier 2 bytes 0000h
Length 2 bytes 0003h
Unit Identifier 1 byte 00h
Error code 1 byte 97h
Exception code (see Exception codes) 1 byte 01, 02, 03 or 04

Example

Below is an example for reading two registers beginning with register 5000 (1388h) and for writing two registers beginning with register 6000 (1770h) with 4 bytes and data "0102h" and "0304h":

Request
Response

FC 43 (2Bh) Encapsulated Interface Transport

This function facilitates simple access of the CANopen object dictionary. Further details can be found in the following documentation:

  1. MODBUS APPLICATION PROTOCOL SPECIFICATION V1.1b3, Date: 26.04.2014, Version: 1.1b3
  2. CiA 309 Draft Standard Proposal - Access from other networks - Part 2: Modbus/TCP mapping V1.3, Date: 30.07.2015, Version: 1.3
Note: For the messages of the Encapsulated Interface Transport, another byte sequence applies in part, see chapter General.

Definition of the request and response:

Name Length Example/number range
Transaction Identifier 2 bytes 0000h
Protocol Identifier 2 bytes 0000h
Length 2 bytes 00NNh
Unit Identifier 1 byte 00h
Function code 1 byte 2Bh (43d)
MEI type 1 byte 0Dh (13d)
Protocol options Range 2 to 5 bytes
Address and data range N bytes

Protocol options Range

Name Length Example/number range
Protocol control 1 to 2 bytes See description
Reserved 1 byte Always 0
(Optional) Counter byte 1 byte
(Optional) Network ID 1 byte
(Optional) Encoded data 1 byte

Protocol control:

The "Protocol control" field contains the flags that are needed for controlling the message protocols. The bytes of the "Protocol control" field are defined as follows if the "extended" flag was set (the second byte is otherwise omitted):

The most significant bit (MSB) is bit 0 for "protocol control" byte 1 and bit 8 for "protocol control" byte 2. The least significant bit (LSB) is bit 7 for "protocol control" byte 1 and bit 15 for "protocol control" byte 2.

Bit Name Description
0 "Extended" flag This bit is used if the object dictionary data set is larger than would fit in a Modbus command. The data set then spans over multiple Modbus messages; each message contains part of the data set. "0" = No multiple message transaction or the end of the multiple message transaction. "1" = Part of a multiple message transaction.
1 Extended protocol control Length of the protocol control, the value "0" indicates a length of 1 byte, the value "1" indicates a length of 2 bytes.
2 Counter byte option This bit is set to "1" to indicate that the "counter byte" field is used in this message. If this bit is set to "0", the "counter byte" field does not exist in this message.
3 and 4 Reserved 0
5 Network ID option Not supported, must be "0".
6 Encoded data option Not supported, must be "0".
7 Access flag This bit indicates the access method of the requested command. "0" = read, "1" = write.
8 to 15 Reserved 0

Address and data range

The address and data range is defined in the following table:

Name Byte size and byte order Example / range
Node-ID 1 byte 01h to 7Fh
Index 1 byte, high 0000h to FFFFh
1 byte, low
Subindex 1 byte 00h to FFh
Start address 1 byte, high 0000h to FFFFh
1 byte, low
Number of data values 1 byte, high 0000h to 00FDh
1 byte, low
Write/read data n bytes The data are encoded as described in chapter General.

Example:

To read object 6042h:00h (16-bit value), the following message must be sent by the master (all values are in hexadecimal notation).

Request
Response

Shown as an additional example below, a sequence of Modbus messages is sent from the master to the slave to rotate the motor in "Velocity" mode:

Set 6060 = "02h" (Velocity mode)
Request
Response
Set 2031 = 03E8h" (1000 mA)
Request
Response
Set 6040 = "00h"
Request
Response
Set 6040 = "80h"
Request
Response
Set 6040 = "06h"
Request
Response
Set 6040 = "07h"
Request
Response
Set 6040 = "0Fh"
Request
Response

Below are two examples for reading an object:

Read 6041h:00h
Request
Response
Read 6061h:00h
Request
Response

Error reaction

In the event of an error, the following error message is sent:

Name Length Example value
Transaction Identifier 2 bytes 0000h
Protocol Identifier 2 bytes 0000h
Length 2 bytes 000Bh
Unit Identifier 1 byte 00h
Function code 1 byte 2Bh +80h (171d = 43d + 128d) (indicates error)
Modbus exception code 1 byte FFh ("extended exception")
Extended exception length 2 bytes 6
MEI type 1 byte 0Dh
Exception code 1 byte CEh
Error code 4 bytes CANopen error code, see following table
CANopen error code Description
FFFF0000h Abort no error
FFFF1003h Service is not supported
FFFF1004h Gap in counter byte of the Protocol control field
FFFF0003h Unknown or invalid command
FFFF0008h Access to the object is not supported
FFFF000Eh General error in the parameter
FFFF0011h Length of parameter incorrect
FFFF0012h Parameter too long
FFFF0013h Parameter too short
FFFF0015h Parameter data outside of the permissible value range (for write commands)
FFFF0016h Parameter data exceed the permissible value range (for write commands)
FFFF0017h Parameter data below the permissible value range (for write commands)
FFFF0018h Maximum entered values less than minimum values
FFFF0019h General error
FFFF001Eh Requested object is too large for single message
FFFF1004h Invalid sequence of messages (e. g., if the value of the counter byte is not correct according to the previous request or response)

In the event that the unsupported control option bit is set, the following error message is sent:

Name Length Example value
Transaction Identifier 2 bytes 0000h
Protocol Identifier 2 bytes 0000h
Length 2 bytes 0008/0009h
Unit Identifier 1 byte 00h
Function code 1 byte 2Bh +80h (171d = 43d + 128d) (indicates error)
Modbus exception code 1 byte FFh ("extended exception")
Extended exception length 2 bytes 2 + length of "supported protocol control"
MEI type 1 byte 0Dh
Exception code 1 byte AEh
Supported protocol control 1 or 2 bytes See following table
Bit Name Description
0 "Extended" flag This bit is used if the object dictionary data set is larger than would fit in a Modbus command. The data set then spans over multiple Modbus messages; each message contains part of the data set. "0" = No multiple message transaction or the end of the multiple message transaction. "1" = Part of a multiple message transaction.
1 Extended protocol control Length of the protocol control, the value "0" indicates a length of 1 byte, the value "1" indicates a length of 2 bytes.
2 Counter byte option This bit is set to "1" to indicate that the "counter byte" field is used in this message. If this bit is set to "0", the "counter byte" field does not exist in this message.
3 and 4 Reserved 0
5 Network ID option Not supported, must be "0".
6 Encoded data option Not supported, must be "0".
7 Access flag This bit indicates the access method of the requested command. "0" = read, "1" = write.
8 to 15 Reserved 0

The following example shows an error in the event of a faulty request. The request reads 6061h:00 with a length of 2 bytes, but the object has a size of just 1 byte:

Request
Response

FC 101 (65h) Read complete object dictionary

This function code is used to read out the complete object dictionary.

To start or restart the reading out of the object dictionary, subfunction code 55h must be sent. This code resets reading out of the object dictionary on object 0000h. All subsequent object dictionary frames must then contain subfunction code AAh. At the end, once all objects have been read out, an "Error Response" is generated with the abort code "No data available".

The format of each "read object" is as follows:

Request:
Name Length Value / note
Slave address 1 byte
Function code 1 byte 65h
Subfunction code 1 byte 55h or AAh
Length of the data 1 byte 00h
CRC 2 bytes
Response:
Name Length Value / note
Slave address 1 byte 65h
Function code 1 byte
Subfunction code 1 byte
Length of the data 1 byte
n times "object dictionary frame" 1 - 252 bytes
CRC 2 bytes
An object dictionary frame consists of the following bytes:
Name Value / note
Index Low Byte 1 byte
Index High Byte 1 byte
Subindex 1 byte
Number of bytes 1 byte Number m of the valid data in the data field
Data byte m-1 byte

Example

All of the following numerical values are in hexadecimal format.

Start reading of the object dictionary with request:

The response is:

Read out the next part of the object dictionary with the request:

The response is:

Repeat reading of the object dictionary with the previous request until the response is an error:

Error reaction

In the event of an error, the following error message is sent:

Name Length Example value
Transaction Identifier 2 bytes 0000h
Protocol Identifier 2 bytes 0000h
Length 2 bytes 000Bh
Unit Identifier 1 byte 00h
Function code 1 byte 2Bh +80h (171d = 43d + 128d) (indicates error)
Modbus exception code 1 byte FFh ("extended exception")
Extended exception length 2 bytes 6
MEI type 1 byte 0Dh
Exception code 1 byte CEh
Error code 4 bytes CANopen error code, see following table
CANopen error code Description
FFFF0000h Abort no error
FFFF1003h Service is not supported
FFFF1004h Gap in counter byte of the Protocol control field
FFFF0003h Unknown or invalid command
FFFF0008h Access to the object is not supported
FFFF000Eh General error in the parameter
FFFF0011h Length of parameter incorrect
FFFF0012h Parameter too long
FFFF0013h Parameter too short
FFFF0015h Parameter data outside of the permissible value range (for write commands)
FFFF0016h Parameter data exceed the permissible value range (for write commands)
FFFF0017h Parameter data below the permissible value range (for write commands)
FFFF0018h Maximum entered values less than minimum values
FFFF0019h General error
FFFF001Eh Requested object is too large for single message
FFFF1004h Invalid sequence of messages (e. g., if the value of the counter byte is not correct according to the previous request or response)

In the event that the unsupported control option bit is set, the following error message is sent:

Name Length Example value
Transaction Identifier 2 bytes 0000h
Protocol Identifier 2 bytes 0000h
Length 2 bytes 0008/0009h
Unit Identifier 1 byte 00h
Function code 1 byte 2Bh +80h (171d = 43d + 128d) (indicates error)
Modbus exception code 1 byte FFh ("extended exception")
Extended exception length 2 bytes 2 + length of "supported protocol control"
MEI type 1 byte 0Dh
Exception code 1 byte AEh
Supported protocol control 1 or 2 bytes See following table
Bit Name Description
0 "Extended" flag This bit is used if the object dictionary data set is larger than would fit in a Modbus command. The data set then spans over multiple Modbus messages; each message contains part of the data set. "0" = No multiple message transaction or the end of the multiple message transaction. "1" = Part of a multiple message transaction.
1 Extended protocol control Length of the protocol control, the value "0" indicates a length of 1 byte, the value "1" indicates a length of 2 bytes.
2 Counter byte option This bit is set to "1" to indicate that the "counter byte" field is used in this message. If this bit is set to "0", the "counter byte" field does not exist in this message.
3 and 4 Reserved 0
5 Network ID option Not supported, must be "0".
6 Encoded data option Not supported, must be "0".
7 Access flag This bit indicates the access method of the requested command. "0" = read, "1" = write.
8 to 15 Reserved 0

The following example shows an error in the event of a faulty request. The request reads 6061h:00 with a length of 2 bytes, but the object has a size of just 1 byte:

Request
Response

FC 102 (66h) Read complete array or record

This function code is used to read out the complete array or record from the object dictionary.

To start or restart the reading out of the array, subfunction code 55h must be sent. This code resets reading out on the object with subindex 00h. All subsequent requests must then contain subfunction code AAh. At the end, once all objects have been read out, an "Error Response" is generated.

The format of each "read object" is as follows:

Request:
Name Length Value / note
Transaction Identifier 2 bytes 0000h
Protocol Identifier 2 bytes 0000h
Length 2 bytes 0007h
Unit Identifier 1 byte 00h
Function code 1 byte 66h
Subfunction code 1 byte 55h or AAh
Length of the data 1 byte 00h
Index of the array to be read 2 bytes
Response:
Name Length Value / note
Transaction Identifier 2 bytes 0000h
Protocol Identifier 2 bytes 0000h
Length 2 bytes 0004h+n
Unit Identifier 1 byte 00h
Function code 1 byte
Subfunction code 1 byte
Length of the data 1 byte
n times object dictionary frame 1 - 252 bytes
An object dictionary frame consists of the following bytes:
Name Value / note
Index Low Byte 1 byte
Index High Byte 1 byte
Subindex 1 byte
Number of bytes 1 byte Number m of the valid data in the data field
Data byte m-1 byte

Example

All of the following numerical values are in hexadecimal format; the index of the object that is to be read is 2400h.

Start reading of the array with request:

The response is:

Error reaction

In the event of an error, the following error message is sent:

Name Length Example value
Transaction Identifier 2 bytes 0000h
Protocol Identifier 2 bytes 0000h
Length 2 bytes 000Bh
Unit Identifier 1 byte 00h
Function code 1 byte 2Bh +80h (171d = 43d + 128d) (indicates error)
Modbus exception code 1 byte FFh ("extended exception")
Extended exception length 2 bytes 6
MEI type 1 byte 0Dh
Exception code 1 byte CEh
Error code 4 bytes CANopen error code, see following table
CANopen error code Description
FFFF0000h Abort no error
FFFF1003h Service is not supported
FFFF1004h Gap in counter byte of the Protocol control field
FFFF0003h Unknown or invalid command
FFFF0008h Access to the object is not supported
FFFF000Eh General error in the parameter
FFFF0011h Length of parameter incorrect
FFFF0012h Parameter too long
FFFF0013h Parameter too short
FFFF0015h Parameter data outside of the permissible value range (for write commands)
FFFF0016h Parameter data exceed the permissible value range (for write commands)
FFFF0017h Parameter data below the permissible value range (for write commands)
FFFF0018h Maximum entered values less than minimum values
FFFF0019h General error
FFFF001Eh Requested object is too large for single message
FFFF1004h Invalid sequence of messages (e. g., if the value of the counter byte is not correct according to the previous request or response)

In the event that the unsupported control option bit is set, the following error message is sent:

Name Length Example value
Transaction Identifier 2 bytes 0000h
Protocol Identifier 2 bytes 0000h
Length 2 bytes 0008/0009h
Unit Identifier 1 byte 00h
Function code 1 byte 2Bh +80h (171d = 43d + 128d) (indicates error)
Modbus exception code 1 byte FFh ("extended exception")
Extended exception length 2 bytes 2 + length of "supported protocol control"
MEI type 1 byte 0Dh
Exception code 1 byte AEh
Supported protocol control 1 or 2 bytes See following table
Bit Name Description
0 "Extended" flag This bit is used if the object dictionary data set is larger than would fit in a Modbus command. The data set then spans over multiple Modbus messages; each message contains part of the data set. "0" = No multiple message transaction or the end of the multiple message transaction. "1" = Part of a multiple message transaction.
1 Extended protocol control Length of the protocol control, the value "0" indicates a length of 1 byte, the value "1" indicates a length of 2 bytes.
2 Counter byte option This bit is set to "1" to indicate that the "counter byte" field is used in this message. If this bit is set to "0", the "counter byte" field does not exist in this message.
3 and 4 Reserved 0
5 Network ID option Not supported, must be "0".
6 Encoded data option Not supported, must be "0".
7 Access flag This bit indicates the access method of the requested command. "0" = read, "1" = write.
8 to 15 Reserved 0

The following example shows an error in the event of a faulty request. The request reads 6061h:00 with a length of 2 bytes, but the object has a size of just 1 byte:

Request
Response

Exception codes

In case of an error, the following exception codes may be contained in the response depending on the function code:

Code Name Description
01 Illegal Function Function code not recognized/allowed
02 Illegal Data Address Register address not valid or does not exist
03 Illegal Data Value Value not valid
04 Device Failure Unrecoverable error

For further details, refer to Modbus specification MODBUS APPLICATION PROTOCOL SPECIFICATION V1.1b3.

▶   next

Contents