PSA56 Modbus RTU Online Manual

Function code descriptions

FC 3 (03h) Read Input Registers / FC 4 (04h) Read Holding Registers

With this function code, one 16-bit value or multiple 16-bit values can be read. This function can be applied to NanoJ objects (see NanoJ objects) or process data objects (min. 4-byte alignment, see Process data objects (PDO)).

Request
Name Length Value
Slave address 1 byte
Function code 1 byte 03h / 04h
Start address 2 bytes 0000h to FFFFh
Number of registers 2 bytes 1 to (7Dh)
CRC 2 bytes
Response ("M" corresponds to the number of registers to be read)
Name Length Value
Slave address 1 byte
Function code 1 byte 03h / 04h
Number of bytes 1 byte 2 * M
Register value 2 bytes
CRC 2 bytes
Error
Name Length Value
Slave address 1 byte
Error code 1 byte 83h / 84h
Exception code (see Exception codes) 1 byte 01, 02, 03 or 04
CRC 2 bytes

Example

Below is an example of a read request and response of register 5000 (1388h) and of the following register (2 registers):

Request
Response

FC 6 (06h) Write Single Register

This function code can be used to write a single 16-bit value. The function can be used on process data objects (see Process data objects (PDO)).

Request
Name Length Value
Slave address 1 byte
Function code 1 byte 06h
Register address 2 bytes 0000h to FFFFh
Register value 2 bytes 0000h to FFFFh
CRC 2 bytes
Response
Name Length Value
Slave address 1 byte
Function code 1 byte 06h
Register address 2 bytes 0000h to FFFFh
Register value 2 bytes 0000h to FFFFh
CRC 2 bytes
Error
Name Length Value
Slave address 1 byte
Error code 1 byte 86h
Exception code (see Exception codes) 1 byte 01, 02, 03 or 04
CRC 2 bytes

Example

Below is an example of a write request and response in register 6000 (1770h) with the value "0001h":

Request
Response

FC 16 (10h) Write Multiple Registers

With this function code, one 16-bit value or multiple 16-bit values can be written. The function can be applied to NanoJ objects (see Process data objects (PDO)) or process data objects (see NanoJ objects).

Request ("N" is the number of registers to be written)
Name Length Value
Slave address 1 byte
Function code 1 byte 10h
Start address 2 bytes 0000h to FFFFh
Number of registers 2 bytes 0001h to 007Bh
Number of bytes 1 byte 2 * N
Register value N * 2 bytes
CRC 2 bytes
Response
Name Length Value
Slave address 1 byte
Function code 1 byte 10h
Start address 2 bytes 0000h to FFFFh
Number of registers 2 bytes 0001h to 007Bh
CRC 2 bytes
Error
Name Length Value
Slave address 1 byte
Error code 1 byte 90h
Exception code (see Exception codes) 1 byte 01, 02, 03 or 04
CRC 2 bytes

Example

Below is an example for writing values "0102h" and "0304h" starting with register address 6000 (1770h), number of registers is 2, length of the data is 4:

Request
Response

FC 17 (11h) Report Server ID

This function code can be used to read the description of the type, the current status and other information about the device.

Request
Name Length Value
Slave address 1 byte
Function code 1 byte 11h
CRC 2 bytes
Response
Name Length Value
Slave address 1 byte
Function code 1 byte 03h
Number of bytes 1 byte 01h
Run Indicator Status 1 byte 00h = OFF, FFh = ON
Additional data
CRC 2 bytes
Error
Name Length Value
Slave address 1 byte
Error code 1 byte 91h
Exception code (see Exception codes) 1 byte 01 or 04
CRC 2 bytes

Example

Below is an example of a request/response for ID and status:

Request
Response

FC 23 (17h) Read/Write Multiple registers

With this function code, one 16-bit value or multiple 16-bit values can be simultaneously read and written. The function can be applied to NanoJ objects (see Process data objects (PDO)) or process data objects (see NanoJ objects).

Request ("N" is the number of registers to be read):
Name Length Value
Slave address 1 byte
Function code 1 byte 17h
Read: Start address 2 bytes 0000h to FFFFh
Read: Number of registers 2 bytes 0001h to 0079h
Write: Start address 2 bytes 0000h to FFFFh
Write: Number of registers 2 bytes 0001h to 0079h
Write: Number of bytes 1 byte 2 * N
Write: Register value N * 2 bytes
CRC 2 bytes
Response ("M" corresponds to the number of bytes to be written):
Name Length Value
Slave address 1 byte
Function code 1 byte 17h
Number of bytes 1 byte 2 * M
Registers read M * 2 bytes
CRC 2 bytes
Error
Name Length Value
Slave address 1 byte
Error code 1 byte 97h
Exception code (see Exception codes) 1 byte 01, 02, 03 or 04
CRC 2 bytes

Example

Below is an example for reading two registers beginning with register 5000 (1388h) and for writing two registers beginning with register 6000 (1770h) with 4 bytes and data "0102h" and "0304h":

Request
Response

FC 8 (08h) Diagnostics

Modbus function code FC08 offers numerous tests for checking the communication system between client and server or for checking various internal error states within the server.

This function uses a two-byte subfunction code in the request for defining the type of test. In a normal response, the server repeats both, the function and the subfunction code. Some diagnoses contain data of the device in the data field of the normal response.

Request:
Name Length Value
Function code 1 byte 08h
Subfunction code 2 bytes
Data N x 2 bytes
Response:
Name Length Value
Function code 1 byte 08h
Subfunction code 2 bytes
Data N x 2 bytes
Error:
Name Length Value
Function code 1 byte 88h
Exception code (see Exception codes) 1 byte 01 or 03 or 04

FC 8.10 (08h.0Ah) Clear Counters and Diagnostic Register

The objective of this request is to reset all counters and diagnosis registers. Counters are also reset when the controller is switched on.

Subfunction Data range
Request Response
00h 0Ah 00h - 00h Echo of the request data

Example

Request
Response

FC 8.11 (08h.0Bh) Return Bus Message Count

The response data range returns the number of messages detected by the communications system since the last restart, "Clear Counters and Diagnostic Register" request, or switching on of the controller.

Subfunction Data range
Request Response
00h 0Bh 00h - 00h Total Message Count

FC 8.12 (08h.0Ch) Return Bus Communication Error Count

The response data range returns the number of CRC errors since the last restart, "Clear Counters and Diagnostic Register" request, or switching on of the controller.

Subfunction Data range
Request Response
00h 0Ch 00h - 00h CRC Error Count

Example

Request
Response

FC 8.13 (08h.0Dh) Return Bus Exception Error Count

The response data range returns the number of Modbus exceptions since the last restart, "Clear Counters and Diagnostic Register" request, or switching on of the controller.

Subfunction Data range
Request Response
00h 0Dh 00h - 00h Exception Error Count

Example

Request
Response

FC 8.14 (08h.0Eh) Return Server Message Count

The response data range returns the number of messages addressed to the device and the number of broadcast messages that were processed by the controller. The number of messages since the last restart, "Clear Counters and Diagnostic Register" request, or switching on of the controller are counted.

Subfunction Data range
Request Response
00h 0Eh 00h - 00h Server Message Count

Example

Request
Response

FC 8.15 (08h.0Fh) Return Server No Response Count

The response data range returns the number of messages addressed to the controller for which no response was returned (neither normal response nor exception response). The number of messages since the last restart, "Clear Counters and Diagnostic Register" request, or switching on of the controller are counted.

Subfunction Data range
Request Response
00h 0Fh 00h - 00h No Response Count

Example

Request
Response

FC 8.16 (08h.10h) Return Server NAK Count

The response data range returns the number of messages for which a "Negative Acknowledge (NAK)" exception response was returned. The number of messages since the last restart, "Clear Counters and Diagnostic Register" request, or switching on of the controller are counted.

Subfunction Data range
Request Response
00h - 10h 00h - 00h Server NAK Count

Example

Request
Response

FC 8.17 (08h.11h) Return Server Busy Count

The response data range returns the number of messages for which a "Server Device Busy" exception response was returned. The number of messages since the last restart, "Clear Counters and Diagnostic Register" request, or switching on of the controller are counted.

Subfunction Data range
Request Response
00h - 11h 00h - 00h Server NAK Count

Example

Request
Response

FC 8.18 (08h.12h) Return Bus Character Overrun Count

The response data range returns the number of messages addressed to the controller that could not be processed due to a character overrun. The number of messages since the last restart, "Clear Counters and Diagnostic Register" request, or switching on of the controller are counted. A character overrun occurs when characters arrive at the controller faster than they can be stored or by the loss of a character due to a hardware malfunction.

Subfunction Data range
Request Response
00h - 12h 00h - 00h Server Character Overrun Count

Example

Request
Response

FC 43 (2Bh) Encapsulated Interface Transport

This function facilitates simple access of the CANopen object dictionary. Further details can be found in the following documentation:

  1. MODBUS APPLICATION PROTOCOL SPECIFICATION V1.1b3, Date: 26.04.2014, Version: 1.1b3
  2. CiA 309 Draft Standard Proposal - Access from other networks - Part 2: Modbus/TCP mapping V1.3, Date: 30.07.2015, Version: 1.3
Note: For the messages of the Encapsulated Interface Transport, another byte sequence applies in part, see chapter General.

Definition of the request and response:

Name Length Example/number range
Slave address 1 byte
Function code 1 byte 2Bh (43d)
MEI type 1 byte 0Dh (13d)
Protocol options Range 2 to 5 bytes
Address and data range N bytes
CRC 2 bytes

Protocol options Range

Name Length Example/number range
Protocol control 1 to 2 bytes See description
Reserved 1 byte Always 0
(Optional) Counter byte 1 byte
(Optional) Network ID 1 byte
(Optional) Encoded data 1 byte

Protocol control:

The "Protocol control" field contains the flags that are needed for controlling the message protocols. The bytes of the "Protocol control" field are defined as follows if the "extended" flag was set (the second byte is otherwise omitted):

The most significant bit (MSB) is bit 0 for "protocol control" byte 1 and bit 8 for "protocol control" byte 2. The least significant bit (LSB) is bit 7 for "protocol control" byte 1 and bit 15 for "protocol control" byte 2.

Bit Name Description
0 "Extended" flag This bit is used if the object dictionary data set is larger than would fit in a Modbus command. The data set then spans over multiple Modbus messages; each message contains part of the data set. "0" = No multiple message transaction or the end of the multiple message transaction. "1" = Part of a multiple message transaction.
1 Extended protocol control Length of the protocol control, the value "0" indicates a length of 1 byte, the value "1" indicates a length of 2 bytes.
2 Counter byte option This bit is set to "1" to indicate that the "counter byte" field is used in this message. If this bit is set to "0", the "counter byte" field does not exist in this message.
3 and 4 Reserved 0
5 Network ID option Not supported, must be "0".
6 Encoded data option Not supported, must be "0".
7 Access flag This bit indicates the access method of the requested command. "0" = read, "1" = write.
8 to 15 Reserved 0

Address and data range

The address and data range is defined in the following table:

Name Byte size and byte order Example / range
Node-ID 1 byte 01h to 7Fh
Index 1 byte, high 0000h to FFFFh
1 byte, low
Subindex 1 byte 00h to FFh
Start address 1 byte, high 0000h to FFFFh
1 byte, low
Number of data values 1 byte, high 0000h to 00FDh
1 byte, low
Write/read data n bytes The data are encoded as described in chapter General.

Example:

To read object 6042h:00h (16-bit value), the following message must be sent by the master (all values are in hexadecimal notation, the slave ID of the controller is "5").

Request
Response

Shown as an additional example below, a sequence of Modbus messages is sent from the master to the slave to rotate the motor in "Velocity" mode:

Set 6060 = "02h" (Velocity mode)
Request
Response
Set 2031 = 03E8h" (1000 mA)
Request
Response
Set 6040 = "00h"
Request
Response
Set 6040 = "80h"
Request
Response
Set 6040 = "06h"
Request
Response
Set 6040 = "07h"
Request
Response
Set 6040 = "0Fh"
Request
Response

Below are two examples for reading an object:

Read 6041h:00h
Request
Response
Read 6061h:00h
Request
Response

Error reaction

In the event of an error, the following error message is sent:

Name Length Example value
Slave address 1 byte
Function code 1 byte 2Bh +80h (171d = 43d + 128d) (indicates error)
Modbus exception code 1 byte FFh ("extended exception")
Extended exception length 2 bytes 6
MEI type 1 byte 0Dh
Exception code 1 byte CEh
Error code 4 bytes CANopen error code, see following table
CRC 2 bytes
CANopen error code Description
FFFF0000h Abort no error
FFFF1003h Service is not supported
FFFF1004h Gap in counter byte of the Protocol control field
FFFF0003h Unknown or invalid command
FFFF0008h Access to the object is not supported
FFFF000Eh General error in the parameter
FFFF0011h Length of parameter incorrect
FFFF0012h Parameter too long
FFFF0013h Parameter too short
FFFF0015h Parameter data outside of the permissible value range (for write commands)
FFFF0016h Parameter data exceed the permissible value range (for write commands)
FFFF0017h Parameter data below the permissible value range (for write commands)
FFFF0018h Maximum entered values less than minimum values
FFFF0019h General error
FFFF001Eh Requested object is too large for single message
FFFF1004h Invalid sequence of messages (e. g., if the value of the counter byte is not correct according to the previous request or response)

In the event that the unsupported control option bit is set, the following error message is sent:

Name Length Example value
Slave address 1 byte
Function code 1 byte 2Bh +80h (171d = 43d + 128d) (indicates error)
Modbus exception code 1 byte FFh ("extended exception")
Extended exception length 2 bytes 2 + length of "supported protocol control"
MEI type 1 byte 0Dh
Exception code 1 byte AEh
Supported protocol control 1 or 2 bytes See following table
CRC 2 bytes
Bit Name Description
0 "Extended" flag This bit is used if the object dictionary data set is larger than would fit in a Modbus command. The data set then spans over multiple Modbus messages; each message contains part of the data set. "0" = No multiple message transaction or the end of the multiple message transaction. "1" = Part of a multiple message transaction.
1 Extended protocol control Length of the protocol control, the value "0" indicates a length of 1 byte, the value "1" indicates a length of 2 bytes.
2 Counter byte option This bit is set to "1" to indicate that the "counter byte" field is used in this message. If this bit is set to "0", the "counter byte" field does not exist in this message.
3 and 4 Reserved 0
5 Network ID option Not supported, must be "0".
6 Encoded data option Not supported, must be "0".
7 Access flag This bit indicates the access method of the requested command. "0" = read, "1" = write.
8 to 15 Reserved 0

The following example shows an error in the event of a faulty request. The request reads 6061h:00 with a length of 2 bytes, but the object has a size of just 1 byte:

Request
Response

FC 101 (65h) Read complete object dictionary

This function code is used to read out the complete object dictionary.

To start or restart the reading out of the object dictionary, subfunction code 55h must be sent. This code resets reading out of the object dictionary on object 0000h. All subsequent object dictionary frames must then contain subfunction code AAh. At the end, once all objects have been read out, an "Error Response" is generated with the abort code "No data available".

The format of each "read object" is as follows:

Request:
Name Length Value / note
Slave address 1 byte
Function code 1 byte 65h
Subfunction code 1 byte 55h or AAh
Length of the data 1 byte 00h
CRC 2 bytes
Response:
Name Length Value / note
Slave address 1 byte 65h
Function code 1 byte
Subfunction code 1 byte
Length of the data 1 byte
n times "object dictionary frame" 1 - 252 bytes
CRC 2 bytes
An object dictionary frame consists of the following bytes:
Name Value / note
Index Low Byte 1 byte
Index High Byte 1 byte
Subindex 1 byte
Number of bytes 1 byte Number m of the valid data in the data field
Data byte m-1 byte

Example

All of the following numerical values are in hexadecimal format. The address of the slave is "5".

Start reading of the object dictionary with request:

The response is:

Read out the next part of the object dictionary with the request:

The response is:

Repeat reading of the object dictionary with the previous request until the response is an error:

Error reaction

In the event of an error, the following error message is sent:

Name Length Example value
Slave address 1 byte
Function code 1 byte 2Bh +80h (171d = 43d + 128d) (indicates error)
Modbus exception code 1 byte FFh ("extended exception")
Extended exception length 2 bytes 6
MEI type 1 byte 0Dh
Exception code 1 byte CEh
Error code 4 bytes CANopen error code, see following table
CRC 2 bytes
CANopen error code Description
FFFF0000h Abort no error
FFFF1003h Service is not supported
FFFF1004h Gap in counter byte of the Protocol control field
FFFF0003h Unknown or invalid command
FFFF0008h Access to the object is not supported
FFFF000Eh General error in the parameter
FFFF0011h Length of parameter incorrect
FFFF0012h Parameter too long
FFFF0013h Parameter too short
FFFF0015h Parameter data outside of the permissible value range (for write commands)
FFFF0016h Parameter data exceed the permissible value range (for write commands)
FFFF0017h Parameter data below the permissible value range (for write commands)
FFFF0018h Maximum entered values less than minimum values
FFFF0019h General error
FFFF001Eh Requested object is too large for single message
FFFF1004h Invalid sequence of messages (e. g., if the value of the counter byte is not correct according to the previous request or response)

In the event that the unsupported control option bit is set, the following error message is sent:

Name Length Example value
Slave address 1 byte
Function code 1 byte 2Bh +80h (171d = 43d + 128d) (indicates error)
Modbus exception code 1 byte FFh ("extended exception")
Extended exception length 2 bytes 2 + length of "supported protocol control"
MEI type 1 byte 0Dh
Exception code 1 byte AEh
Supported protocol control 1 or 2 bytes See following table
CRC 2 bytes
Bit Name Description
0 "Extended" flag This bit is used if the object dictionary data set is larger than would fit in a Modbus command. The data set then spans over multiple Modbus messages; each message contains part of the data set. "0" = No multiple message transaction or the end of the multiple message transaction. "1" = Part of a multiple message transaction.
1 Extended protocol control Length of the protocol control, the value "0" indicates a length of 1 byte, the value "1" indicates a length of 2 bytes.
2 Counter byte option This bit is set to "1" to indicate that the "counter byte" field is used in this message. If this bit is set to "0", the "counter byte" field does not exist in this message.
3 and 4 Reserved 0
5 Network ID option Not supported, must be "0".
6 Encoded data option Not supported, must be "0".
7 Access flag This bit indicates the access method of the requested command. "0" = read, "1" = write.
8 to 15 Reserved 0

The following example shows an error in the event of a faulty request. The request reads 6061h:00 with a length of 2 bytes, but the object has a size of just 1 byte:

Request
Response

FC 102 (66h) Read complete array or record

This function code is used to read out the complete array or record from the object dictionary.

To start or restart the reading out of the array, subfunction code 55h must be sent. This code resets reading out on the object with subindex 00h. All subsequent requests must then contain subfunction code AAh. At the end, once all objects have been read out, an "Error Response" is generated.

The format of each "read object" is as follows:

Request:
Name Length Value / note
Slave address 1 byte
Function code 1 byte 66h
Subfunction code 1 byte 55h or AAh
Length of the data 1 byte 00h
Index of the array to be read 2 bytes
CRC 2 bytes
Response:
Name Length Value / note
Slave address 1 byte 65h
Function code 1 byte
Subfunction code 1 byte
Length of the data 1 byte
n times object dictionary frame 1 - 252 bytes
CRC 2 bytes
An object dictionary frame consists of the following bytes:
Name Value / note
Index Low Byte 1 byte
Index High Byte 1 byte
Subindex 1 byte
Number of bytes 1 byte Number m of the valid data in the data field
Data byte m-1 byte

Example

All of the following numerical values are in hexadecimal format; the index of the object that is to be read is 2400h. The address of the slave is "5"h.

Start reading of the array with request:

The response is:

Error reaction

In the event of an error, the following error message is sent:

Name Length Example value
Slave address 1 byte
Function code 1 byte 2Bh +80h (171d = 43d + 128d) (indicates error)
Modbus exception code 1 byte FFh ("extended exception")
Extended exception length 2 bytes 6
MEI type 1 byte 0Dh
Exception code 1 byte CEh
Error code 4 bytes CANopen error code, see following table
CRC 2 bytes
CANopen error code Description
FFFF0000h Abort no error
FFFF1003h Service is not supported
FFFF1004h Gap in counter byte of the Protocol control field
FFFF0003h Unknown or invalid command
FFFF0008h Access to the object is not supported
FFFF000Eh General error in the parameter
FFFF0011h Length of parameter incorrect
FFFF0012h Parameter too long
FFFF0013h Parameter too short
FFFF0015h Parameter data outside of the permissible value range (for write commands)
FFFF0016h Parameter data exceed the permissible value range (for write commands)
FFFF0017h Parameter data below the permissible value range (for write commands)
FFFF0018h Maximum entered values less than minimum values
FFFF0019h General error
FFFF001Eh Requested object is too large for single message
FFFF1004h Invalid sequence of messages (e. g., if the value of the counter byte is not correct according to the previous request or response)

In the event that the unsupported control option bit is set, the following error message is sent:

Name Length Example value
Slave address 1 byte
Function code 1 byte 2Bh +80h (171d = 43d + 128d) (indicates error)
Modbus exception code 1 byte FFh ("extended exception")
Extended exception length 2 bytes 2 + length of "supported protocol control"
MEI type 1 byte 0Dh
Exception code 1 byte AEh
Supported protocol control 1 or 2 bytes See following table
CRC 2 bytes
Bit Name Description
0 "Extended" flag This bit is used if the object dictionary data set is larger than would fit in a Modbus command. The data set then spans over multiple Modbus messages; each message contains part of the data set. "0" = No multiple message transaction or the end of the multiple message transaction. "1" = Part of a multiple message transaction.
1 Extended protocol control Length of the protocol control, the value "0" indicates a length of 1 byte, the value "1" indicates a length of 2 bytes.
2 Counter byte option This bit is set to "1" to indicate that the "counter byte" field is used in this message. If this bit is set to "0", the "counter byte" field does not exist in this message.
3 and 4 Reserved 0
5 Network ID option Not supported, must be "0".
6 Encoded data option Not supported, must be "0".
7 Access flag This bit indicates the access method of the requested command. "0" = read, "1" = write.
8 to 15 Reserved 0

The following example shows an error in the event of a faulty request. The request reads 6061h:00 with a length of 2 bytes, but the object has a size of just 1 byte:

Request
Response

Exception codes

In case of an error, the following exception codes may be contained in the response depending on the function code:

Code Name Description
01 Illegal Function Function code not recognized/allowed
02 Illegal Data Address Register address not valid or does not exist
03 Illegal Data Value Value not valid
04 Device Failure Unrecoverable error

For further details, refer to Modbus specification MODBUS APPLICATION PROTOCOL SPECIFICATION V1.1b3.

▶   next

Contents