Reprint: http://www.dzkfw.com.cn/Article/plc/7740.html
Modbus common function code learning and examples
1. Description of MODBUS register types
Although MODBUS supports many function codes, only four registers are involved: coil registers, discrete input registers, holding registers, and input registers.
As long as you understand the nature of the register and the relationship between the function code, it is actually very simple to understand the function code.
| Register type | Read and write status | bit operation word operation | Applicable function code |
|---|---|---|---|
| coil register | read/write | bit | 01H (read); 05H (write single bit); 0FH (write multiple bits) |
| Discrete Input Register | read only | bit | 02H |
| holding register | read/write | Character | 03H (read); 06H (write single byte); 0FH (write multiple bytes) |
| input register | read only | Character | 04H |
Coil register : It can be compared to a switch value, and each bit corresponds to the switch state of a signal. So one byte can control 8-way signals at the same time. For example, control the level of the external 8-way io. The coil register supports reading and writing, such as controlling or reading the switch status of the solenoid valve. The corresponding function codes are: 0x01 0x05 0x0f
Discrete input register : The discrete input register is equivalent to the read-only mode of the coil register. Each bit represents a switch value, and its switch value can only be read, not written. The input state can only be changed through external settings. For example, I can read whether the external button is pressed or released, but I cannot control the button. The corresponding function codes are: 0x02
Holding register : The unit of the register is no longer a bit but two bytes, that is, it can store a specific amount of data and is readable and writable. For example, I can read the upper and lower alarm limits of the sensor, and also set its size. The corresponding function codes are: 0x03 0x06 0x10
Input register : The input register is equivalent to the read-only mode of the holding register, and only supports reading but not writing. A register also occupies two bytes of space. For example, the current analog sampling value can be obtained by reading the input register. The corresponding function code is 0x04
2. Part of MODBUS function codes
MODBUS supports many function codes, but only a few are commonly used in practical applications.
The four register types of Modbus are introduced above: coil registers, discrete input registers, holding registers, and input registers, and the corresponding function codes are understood from the perspective of registers. Commonly used function codes are listed below, as follows:
| function code | name | type of data | effect |
|---|---|---|---|
| 0x01 | read coil register | bit | Get the current state of a group of logic coils (ON/OFF) |
| 0x02 | Read Discrete Input Register | bit | Get the current state of a group of switch inputs (ON/OFF) |
| 0x03 | read holding register | integer, float, character | Get the current binary value in one or more holding registers |
| 0x04 | read input register | Integer, Float | Get the current binary value in one or more input registers |
| 0x05 | Write a single coil register | bit | Forces the on-off state of a logic coil |
| 0x06 | write a single holding register | integer, float, character | Load a specific binary value into a holding register |
| 0x0f | Write multiple coil registers | bit | Forces on and off of a chain of consecutive logic coils |
| 0x10 | Write multiple holding registers | integer, float, character | Load a specific binary value into a contiguous series of holding registers |
3. Example of MODBUS function code
1. Function code: 01H read coil register
1) Function: Read slave station coil register, bit operation, single or multiple can be read
2) Master sends command: The
host sends data including: slave station address + function code + register start address + register number + check code
assumes slave The station address is 0x01, the start address of the coil register is 0x0021, and the end address is 0x002c, that is, the register address range is: 0x0021~0x0032, and a total of 12 continuous coil status values are read, and the host sends commands as shown in the figure below:
| slave address | function code | Register start address high 8 bits | The lower 8 bits of the register start address | The high 8 bits of the number of registers | The lower 8 bits of the register number | CRC check low 8 bits | CRC check high 8 bits |
|---|---|---|---|---|---|---|---|
| 0x01 | 0x01 | 0x00 | 0x21 | 0x00 | 0x0c | 0xXX | 0xXX |
3) Response return from the slave station:
The data returned by the slave station response includes: slave station address + function code + number of returned bytes + data value + check code
Among them, each bit of the returned data value corresponds to the coil status, when the coil status is ON , its value is 1; when the state is OFF, its value is 0;
[Data is stored in little-endian form, that is, the least significant bit is stored in the lowest address of the memory (located on the right side of the binary). Every 8 bits make up a byte. When the number of coils is not a multiple of 8, add 0 to the remaining bits. 】
| slave address | function code | returns the number of bytes | data1 | data2 | CRC check low 8 bits | CRC check high 8 bits |
|---|---|---|---|---|---|---|
| 0x01 | 0x01 | 0x02 | 0xCB | 0x0B | 0xXX | 0xXX |
In this example, 12 coils are read, 12/8 has a quotient of 1 and a remainder of 4, so 2 bytes are needed to store the response data, and the number of returned bytes is 2.
Byte 1 stores the value of coil number 21~28 (little endian byte order, the value of coil 28 is stored in bit7, and the value of coil 21 is stored in bit0); byte 2 stores the value of coil number 29~
32, and the remaining bits Add 0 fill;
In the above table, data1 indicates the coil state of 0x0021-0x0028, and the lowest bit of data1 represents the coil state of the lowest address;
data1: 0xCB=1100 1011, then the coil state of data1 is shown in the following table:
| coil address | function code | 0x28 | 0x27 | 0x26 | 0x25 | 0x24 | 0x23 | 0x22 | 0x21 |
|---|---|---|---|---|---|---|---|---|---|
| value | 0x01 | 1 | 1 | 0 | 0 | 1 | 0 | 1 | 1 |
data2 indicates the status of the coil at address 0x0030-0x0038, which is less than 8 bits, and the high bits of the byte are filled with 0.
data2: 0x0B=0000 1011, then the coil status of data2 is shown in the table below:
| coil address | function code | 0x30 | 0x2f | 0x2e | 0x2d | 0x2c | 0x2b | 0x2a | 0x29 |
|---|---|---|---|---|---|---|---|---|---|
| value | 0x01 | 0 | 0 | 0 | 0 | 1 | 0 | 1 | 1 |
2. Function code: 02H read discrete input register
1) Function: read discrete input register, bit operation, can read single or multiple, similar to function code 0X01, omitted here;
3. Function code: 03H read holding register
1) Function: Read slave station holding register, byte operation, can read single or multiple; each holding register occupies 2 bytes (16 bits); 2) Master
sends instructions:
master sends data including: slave station address + Function code + register start address + register number + check code
Assume that the slave station address is 0x03, the start address of the holding register is 0x003B, and the end address is 0x003D, that is, the register address range is: 0x003B~0x003D, and a total of 3 holding registers are read data, the host sends commands as shown in the figure below:
| slave address | function code | Register start address high 8 bits | The lower 8 bits of the register start address | The high 8 bits of the number of registers | The lower 8 bits of the number of registers | CRC check low 8 bits | CRC check high 8 bits |
|---|---|---|---|---|---|---|---|
| 0x03 | 0x03 | 0x00 | 0x3B | 0x00 | 0x03 | 0xXX | 0xXX |
3) Slave station response return:
The data returned by the slave station response includes: slave station address + function code + number of returned bytes + data value + check code
| slave address | function code | returns the number of bytes | data1H | data1L | data2H | data2L | data3H | data3L | CRC check low 8 bits | CRC check high 8 bits |
|---|---|---|---|---|---|---|---|---|---|---|
| 0x03 | 0x03 | 0x06 | 0x1B | 0x0B | 0x0A | 0x01 | 0xC2 | 0xDB | 0xXX | 0xXX |
In this example, 3 holding registers are read, and each holding register occupies 2 bytes, so 6 bytes are needed to store the response data, and the number of returned bytes is 6.
The values of 0x003B~0x003D holding registers are shown in the figure below:
| register address | 0x003D | 0x003C | 0x003A |
|---|---|---|---|
| value | 0xC2 DB | 0x0A 01 | 0x1B 0B |
4. Function code: 04H read input register
1) Function: read input register, byte operation, can read single or multiple, similar to function code 0X03, omitted here;
5. Function code: 05H Write a single coil register
1) Function: Write operation to a single coil, bit operation, only one can be written. Writing 0xFF00 means turning the coil ON, writing 0x0000 means turning the coil OFF, and other values are invalid;
2) The host sends instructions:
the host sends data including: slave station address + function code + register start address + data value + Check code
Assuming the address of the slave station is 0x03, and the start address of the coil register is 0x0032, to set it to ON, the master sends commands as shown in the table below:
| slave address | function code | Register start address high 8 bits | The lower 8 bits of the register start address | dataH | arrival | CRC check low 8 bits | CRC check high 8 bits |
|---|---|---|---|---|---|---|---|
| 0x03 | 0x05 | 0x00 | 0x32 | 0xff | 0x00 | 0xXX | 0xXX |
3) Response return from the slave station:
The response data of the slave station includes: slave station address + function code + register address + write value + check code
If the data is successfully written, the response data is the same as the request data, as shown in the following table:
| slave address | function code | Register start address high 8 bits | The lower 8 bits of the register start address | dataH | arrival | CRC check low 8 bits | CRC check high 8 bits |
|---|---|---|---|---|---|---|---|
| 0x03 | 0x05 | 0x00 | 0x32 | 0xff | 0x00 | 0xXX | 0xXX |
6. Function code: 06H Write a single holding register|
1) Function: Write operation to a single holding register, byte operation, only one can be written.
2) The host sends instructions:
the host sends data including: slave station address + function code + register start address + data value + check code
Assume that the slave station address is 0x01, the start address of the coil register is 0x0048, and the written value is 0x1234. Then the host sends commands as shown in the following table:
| slave address | function code | Register start address high 8 bits | The lower 8 bits of the register start address | dataH | arrival | CRC check low 8 bits | CRC check high 8 bits |
|---|---|---|---|---|---|---|---|
| 0x01 | 0x06 | 0x00 | 0x48 | 0x12 | 0x34 | 0xXX | 0xXX |
3) Response return from the slave station:
the response data of the slave station includes: slave station address + function code + register address + write value + check code
If the data is successfully written, the response data is the same as the request data.