Modbus function codes

The second parameter in each Modbus message is the function code. This defines the message type and the type of action
required by the slave. The parameter contains one byte of information. In Modbus/ASCII this is coded with two hexadecimal
characters, in Modbus/RTU one byte is used. Valid function codes are in the range 1..255. Not all Modbus devices recognize the
same set of function codes. The most common codes are discussed here.

Normally, when a Modbus slave answers a response, it uses the same function code as in the request. However, when an error
is detected, the highest bit of the function code is turned on. In that way the master can see the difference between success
and failure responses.
Function 01: Read coil status

In Modbus language, a coil is a discrete output value. Modbus function 01 can be used to read the status of such an output. It
is only possible to query one device at a time. Broadcast addressing is not supported with this Modbus function. The function
can be used to request the status of various coils at once. This is done by defining an output range in the data field of the
message.

When receiving a Modbus query message with function 01, the slave collects the necessary output values and constructs an
answer message. The length of this message is dependent on the number of values that have to be returned. In general,
when N values are requested, a number of ((N+7) mod 8) bytes are necessary to store these values. The actual number of
databytes in the datablock is put in the first byte of the data field. Therefore the general structure of an answer to a Modbus
function 01 query is:
After receiving a query message with Modbus function 02, the slave puts the requested input values in a message structure
and sends this message back to the Modbus master. The length of the message depends on the number of input values
returned. This causes the length of the output message to vary. The number of databytes in the data field that contain the
input values is passed as the first byte in the data field. Each Modbus answering message has the following general structure.
Function 03: Read holding registers

Internal values in a Modbus device are stored in holding registers. These registers are two bytes wide and can be used for
various purposes. Some registers contain configuration parameters where others are used to return measured values
(temperatures etc.) to a host. Registers in a Modbus compatible device start counting at 40001. They are addressed in the
Modbus message structure with addresses starting at 0. Modbus function 03 is used to request one or more holding register
values from a device. Only one slave device can be addressed in a single query. Broadcast queries with function 03 are not
supported.

After processing the query, the Modbus slave returns the 16 bit values of the requested holding registers. Because of the size of
the holding registers, every register is coded with two bytes in the answering message. The first data byte contains the high
byte, and the second the low byte of the register. The Modbus answer message starts with the slave device address and the
function code 03. The next byte is the number of data bytes that follow. This value is two times the number of registers
returned. An error check is appended for the host to check if a communication error occured.

Details of ASCII and RTU mode message formats:

ASCII message format:

start(1 character) + address(2 characters) + function(2 characters) + data(x characters) + error check(2 characters) +
ending(2 characters)

In ASCII mode the start character is always a ':' (ie. a colon, no quotes included).

The address field contains 2 characters. The valid slave device addresses are 0-247. The master addresses the proper slave
device by putting the slave devices address in this field. When the slave replies back it places its own address in this field so
that the master knows which device has replied. Address 0 is used as a broadcast address. In
other words, all slaves will react to a message with an address of 0.

The function code also contains 2 characters. Valid function codes are 1-255. Some codes are product specific to Modicon,
others are universal, and still others are reserved for future use. The function code tells the slave device what to do. Some
examples of function codes include reading coil status, reading input status, reading memory locations, forcing coils on, writing
to memory, etc.

The data field comes next and contains information that the slave devices will need to process the request from the master. For
example, which coil statuses should be read, which coils should be forced on, etc. The data field the slave sends back to the
master will contain the data requested or an error code if there was an error.

The error check field in ASCII mode contains the result of the LRC (Longitudinal Redundancy Check) calculation. This calculation
is simply done by adding together all the bytes in the message (excluding the start colon) eliminating any carries, and then 2's
complementing the result.

Lastly, the CR (carriage return) and LF (line feed) characters are added to the message. This tells the receiving device that the
message has ended.

The RTU frames contain the same items except in a more compact form.
Here is the message format:

Start(4 character delay time) + address(8 bits) + function code(8 bits) + data(n x 8 bits) + error check(16 bits) + end (4
character delay time)

It is important to note that in ASCII mode there can be up to a 1 second delay between each character transmission but RTU
mode can have a maximum of 1.5 character delay times between each character. The only differences between ASCII and RTU
message formats are the forming of the message, the start/ends, and the error checking. The start/ends are simply 4 character
time pauses. The error checking is CRC (Cyclical Redundancy Check) calculation.