Read Coil Status (FC=01)

Request
This command is requesting the ON/OFF status of discrete coils # 20 to 56
from the slave device with address 17.
11 01 0013 0025 0E84
11: The Slave Address (17 = 11 hex)
01: The Function Code (read Coil Status)
0013: The Data Address of the first coil to read. (Coil 20 - 1 = 19 = 13 hex)
0025: The total number of coils requested. (coils 20 to 56 = 37 = 25 hex)
0E84: The CRC (cyclic redundancy check) for error checking.
Response
11 01 05 CD6BB20E1B 45E6
11: The Slave Address (17 = 11 hex)
01: The Function Code (read Coil Status)
05: The number of data bytes to follow (37 Coils / 8 bits per byte = 5 bytes)
CD: Coils 27 - 20 (1100 1101)
6B: Coils 35 - 28 (0110 1011)
B2: Coils 43 - 36 (1011 0010)
0E: Coils 51 - 44 (0000 1110)
1B: 3 space holders & Coils 56 - 52 (0001 1011)
45E6: The CRC (cyclic redundancy check).
The more significant bits contain the higher coil variables. This shows that coil 36 is off (0) and
43 is on (1). Due to the number of coils requested, the last data field1B contains the status of
only 5 coils. The three most significant bits in this data field are filled in with zeroes.

Read Input Status (FC=02)

Request
This command is requesting the ON/OFF status of discrete inputs # 10197 to 10218
from the slave device with address 17.
11 02 00C4 0016 BAA9
11: The Slave Address (17 = 11 hex)
02: The Function Code (read Input Status)

00C4: The Data Address of the first input to read. (10197 - 10001 = 196 = C4 hex)
0016: The total number of coils requested. (197 to 218 = 22 = 16 hex)
BAA9: The CRC (cyclic redundancy check) for error checking.
Response
11 02 03 ACDB35 2018
11: The Slave Address (17 = 11 hex)
02: The Function Code (read Input Status)
03: The number of data bytes to follow (22 Inputs / 8 bits per byte = 3 bytes)
AC: Discrete Inputs 10204 -10197 (1010 1100)
DB: Discrete Inputs 10212 - 10205 (1101 1011)
35: 2 space holders & Discrete Inputs 10218 - 10213 (0011 0101)
2018: The CRC (cyclic redundancy check).
The more significant bits contain the higher Discrete inputs. This shows that input 10197 is off
(0) and 10204 is on (1). Due to the number of inputs requested, the last data field 35 contains
the status of only 6 inputs. The two most significant bits in this data field are filled in with
zeroes.

Read Holding Registers (FC=03)

Request
This command is requesting the content of analog output holding registers # 40108 to
40110 from the slave device with address 17.
11 03 006B 0003 7687
11: The Slave Address (17 = 11 hex)
03: The Function Code (read Analog Output Holding Registers)
006B: The Data Address of the first register requested. (40108-40001 = 107 = 6B hex)
0003: The total number of registers requested. (read 3 registers 40108 to 40110)
7687: The CRC (cyclic redundancy check) for error checking.
Response
11 03 06 AE41 5652 4340 49AD
11: The Slave Address (17 = 11 hex)
03: The Function Code (read Analog Output Holding Registers)
06: The number of data bytes to follow (3 registers x 2 bytes each = 6 bytes)
AE41: The contents of register 40108

5652: The contents of register 40109

4340: The contents of register 40110
49AD: The CRC (cyclic redundancy check).

Read Input Registers (FC=04)

Request
This command is requesting the content of analog input register # 30009
from the slave device with address 17.
11 04 0008 0001 B298
11: The Slave Address (17 = 11 hex)
04: The Function Code (read Analog Input Registers)
0008: The Data Address of the first register requested. (30009-30001 = 8)
0001: The total number of registers requested. (read 1 register)
B298: The CRC (cyclic redundancy check) for error checking.
Response
11 04 02 000A F8F4
11: The Slave Address (17 = 11 hex)
04: The Function Code (read Analog Input Registers)
02: The number of data bytes to follow (1 registers x 2 bytes each = 2 bytes)
000A: The contents of register 30009
F8F4: The CRC (cyclic redundancy check).

Force Single Coil (FC=05)

Request
This command is writing the contents of discrete coil # 173 to ON
in the slave device with address 17.
11 05 00AC FF00 4E8B
11: The Slave Address (17 = 11 hex)
05: The Function Code (Force Single Coil)
00AC: The Data Address of the coil. (coil# 173 - 1 = 172 = AC hex)
FF00: The status to write ( FF00 = ON, 0000 = OFF )
4E8B: The CRC (cyclic redundancy check) for error checking.

Response
The normal response is an echo of the query, returned after the coil has been written.
11 05 00AC FF00 4E8B
11: The Slave Address (17 = 11 hex)
05: The Function Code (Force Single Coil)
00AC: The Data Address of the coil. (coil# 173 - 1 = 172 = AC hex)
FF00: The status written ( FF00 = ON, 0000 = OFF )
4E8B: The CRC (cyclic redundancy check) for error checking.

Preset Single Register (FC=06)

Request
This command is writing the contents of analog output holding register # 40002
to the slave device with address 17.
11 06 0001 0003 9A9B
11: The Slave Address (17 = 11 hex)
06: The Function Code (Preset Single Register)
0001: The Data Address of the register. (# 40002 - 40001 = 1 )
0003: The value to write
9A9B: The CRC (cyclic redundancy check) for error checking.
Response
The normal response is an echo of the query, returned after the register contents have been
written.
11 06 0001 0003 9A9B
11: The Slave Address (17 = 11 hex)
06: The Function Code (Preset Single Register)
0001: The Data Address of the register. (# 40002 - 40001 = 1 )
0003: The value written
9A9B: The CRC (cyclic redundancy check) for error checking.

Force Multiple Coils (FC=15)

Request

This command is writing the contents of a series of 10 discrete coils from #20 to #29
to the slave device with address 17.
11 0F 0013 000A 02 CD01 BF0B
11: The Slave Address (17 = 11 hex)
0F: The Function Code (Force Multiple Coil, 15 = 0F hex)
0013: The Data Address of the first coil. (coil# 20 - 1 = 19 = 13 hex)
000A: The number of coils to written (10 = 0A hex)
02: The number of data bytes to follow (10 Coils / 8 bits per byte = 2 bytes)
CD: Coils 27 - 20 (1100 1101)
01: 6 space holders & Coils 29 - 28 (0000 0001)
BF0B: The CRC (cyclic redundancy check) for error checking.
The more significant bits contain the higher coil variables. This shows that coil 20 is on (1) and
21 is off (0). Due to the number of coils requested, the last data field01 contains the status of
only 2 coils. The unused bits in the last data byte are filled in with zeroes.
Response
11 0F 0013 000A 2699
11: The Slave Address (17 = 11 hex)
0F: The Function Code (Force Multiple Coil, 15 = 0F hex)
0013: The Data Address of the first coil. (coil# 20 - 1 = 19 = 13 hex)
000A: The number of coils to written (10 = 0A hex)
2699: The CRC (cyclic redundancy check) for error checking.

Preset Multiple Registers (FC=16)

Request
This command is writing the contents of two analog output holding registers # 40002 & 40003 to
the slave device with address 17.
11 10 0001 0002 04 000A 0102 C6F0
11: The Slave Address (17 = 11 hex)
10: The Function Code (Preset Multiple Registers 16 = 10 hex)
0001: The Data Address of the first register. (# 40002 - 40001 = 1 )
0002: The number of registers to write
04: The number of data bytes to follow (2 registers x 2 bytes each = 4 bytes)
000A: The value to write to register 40002

0102: The value to write to register 40003

C6F0: The CRC (cyclic redundancy check) for error checking.
Response
11 10 0001 0002 1298
11: The Slave Address (17 = 11 hex)
10: The Function Code (Preset Multiple Registers 16 = 10 hex)
0001: The Data Address of the first register. (# 40002 - 40001 = 1 )
0002: The number of registers written.
1298: The CRC (cyclic redundancy check) for error checking.

Modbus ASCII vs Modbus RTU

Data formats
To review, we can see that each byte of data can be represented in different ways.
Binary (base2):
Decimal (base10):

10101110

2 characters 0 and 1

174

10 characters 0 through 9

Hexadecimal (base 16): AE

16 characters 0 through F

ASCII (base 256):

256 different characters

Message Delimiting
In Modbus RTU, bytes are sent consecutively with no space in between them with a 3-1/2
character space between messages for a delimiter. This allows the software to know when a new
message is starting.
Any delay between bytes will cause Modbus RTU to interpret it as the start of a new message.
This keeps Modbus RTU from working properly with modems.
Modbus ASCII marks the start of each message with a colon character " : " (hex 3A).
The end of each message is terminated with the carriage return and line feed characters (hex 0D
and 0A). This allows the space between bytes to be variable making it suitable for transmission
through some modems.
Byte Size
In Modbus RTU each byte is sent as a string of 8 binary characters framed with a start bit, and a
stop bit, making each byte 10 bits.

In Modbus ASCII, the number of data bits is reduced from 8 to 7. A parity bit is added before the
stop bit which keeps the actual byte size at 10 bits.
Split Data bytes
In Modbus ASCII, each data byte is split into the two bytes representing the two ASCII
characters in the Hexadecimal value. For example,
Modbus Mode

data (ASCII)

data (hex)
AE

data (binary)
1010 1110

Modbus RTU
Modbus ASCII

A,E

41 , 45

100 0001 , 100 0101

The range of data bytes in Modbus RTU can be any characters from 00 to FF.
The range of data bytes in Modbus ASCII represent only the 16 hexadecimal characters.
Therefore, every data byte in Modbus ASCII must be one of these 16:
ASCII

binary
011 0000

ASCII

hex
30

hex
38

binary
011 1000

31

011 0001

39

011 1001

32

011 0010

41

100 0001

33

011 0011

42

100 0010

34

011 0100

43

100 0011

35

011 0101

44

100 0100

36

011 0110

45

100 0101

37

011 0111

46

100 0110

Error Checksum - LRC Calculation

As mentioned earlier, each Modbus RTU message is terminate with two error checking bytes
called a CRC or Cyclic Redundancy Check. Similarly, Modbus ASCII is terminated with an error
checking byte called an LRC or Longitudinal Redundancy Check.
Here is a spreadsheet CRC calculator for messages up to 16 bytes.
To download a copy, right click and select Save Target As...
The calculation of the LRC is much easier than the CRC.
To calculate the LRC:
1. Add up all the data bytes in the message (before converting to ASCII and without the initial
colon and final CR/LF).
2. Throw away any bits that carry over 8 bits.
3. Make the result negative (by twos compliment) to get the LRC byte.

The sum of the resulting byte stream with the LRC will then be 0 since adding the negative
subtotal will make the final total zero.
For example, this command shows the data bytes required to request the content of analog output
holding registers 40108 to 40110 from the slave device with address 17.
11 03 00 6B 00 03
Add the bytes:
decimal
17

hex
11

binary
0001 0001

03

0000 0011

00

0000 0000

107

6B

0110 1011

00

0000 0000

03

0000 0011

decimal

hex
82

binary
1000 0010

total:

130

two's compliment (make negative) to get the LRC

decimal
-130

hex
7E

binary
0111 1110

total of the entire message including the LRC

decimal
0

hex
00

binary
0000 0000

The single hex LRC byte is 7E

The LRC byte is then split into two ASCII bytes with the rest of the data.
The two ASCII bytes for the LRC are then 37 and 45
ASCII vs RTU example:

Using the same example shown above to request registers 40108 to 40110 from slave address 17.
11 03 00 6B 00 03
The complete ASCII request is made by first adding the message delimiting characters. A
colon is added to the start of the message, the LRC, carriage return and line feed are added to the
end:
: 1 1

0 3

0 0

6 B

0 0

0 3

7 E

CR LF

Each character is now treated as an ASCII character and replaced with it's hex value to give the
final message.
3A 3131 3033 3030 3642 3030 3033 3745 0D 0A
This Modbus ASCII request size is 17 bytes (170 bits)
...............
The equivalent Modbus RTU message would be:
11 03 00 6B 00 03 76 87
This Modbus RTU request size is 8 bytes (80 bits)

Modbus TCP/IP
TCP/IP
TCP is Transmission Control Protocol and IP is Internet Protocol. These protocols are used
together and are the transport protocol for the internet. When modbus information is sent using
these protocols, the data is passed to TCP where additional information is attached and given to
IP. IP then places the data in a packet (or datagram) and transmits it.
TCP must establish a connection before transferring data, since it is a connection-based protocol.
The Master (or Client in Modbus TCP) establishes a connection with the Slave (or Server). The
Server waits for an incoming connection from the Client. Once a connection is established, the
Server then responds to the queries from the Client until the client closes the connection.
Modbus RTU over TCP
Simply put, this is a Modbus RTU message transmitted with a TCP/IP wrapper and sent over a
network instead of serial lines. The Server does not have a SlaveID since it uses an IP Address
instead.
Modbus TCP

A Modbus Messaging Implementation Guide provided by Schneider Automation outlines a

modified protocol specifically for use over TCP/IP. The official Modbus specification can be
found at www.modbus-ida.org. The main differences between Modbus RTU and Modbus TCP
are outlined here.
ADU & PDU
Aside from the main differences between serial and network connections stated above, there are
a few differences in the message content.
Starting with the Modbus RTU message and removing the SlaveID from the beginning and the
CRC from the end results in the PDU, Protocol Data Unit.
Here is an example of a Modbus RTU request for the content of analog output holding registers #
40108 to 40110 from the slave device with address 17.
11 03 006B 0003 7687
11: The SlaveID Address (17 = 11 hex)
03: The Function Code (read Analog Output Holding Registers)
006B: The Data Address of the first register requested. (40108-40001 = 107 =6B hex)
0003: The total number of registers requested. (read 3 registers 40108 to 40110)
7687: The CRC (cyclic redundancy check) for error checking.
Removing the SlaveID and CRC gives the PDU:
03 006B 0003
MBAP Header
A new 7-byte header called the MBAP header (Modbus Application Header) is added to the start
of the message. This header has the following data:
Transaction Identifier: 2 bytes set by the Client to uniquely identify each request. These bytes are
echoed by the Server since its responses may not be received in the same order as the requests.
Protocol Identifier: 2 bytes set by the Client, always = 00 00
Length: 2 bytes identifying the number of bytes in the message to follow.
Unit Identifier: 1 byte set by the Client and echoed by the Server for identification of a remote
slave connected on a serial line or on other buses.

Summary
The equivalent request to this Modbus RTU example
11 03 006B 0003 7687
in Modbus TCP is:
0001 0000 0006 11 03 006B 0003
0001: Transaction Identifier
0000: Protocol Identifier
0006: Message Length (6 bytes to follow)
11: The Unit Identifier (17 = 11 hex)
03: The Function Code (read Analog Output Holding Registers)
006B: The Data Address of the first register requested. (40108-40001 = 107 =6B hex)
0003: The total number of registers requested. (read 3 registers 40108 to 40110)
TCP/IP Wrapper

Exception Responses
Following a request, there are 4 possible outcomes from the slave.
1. The request is successfully processed by the slave and a valid response is sent.
2. The request is not received by the slave therefore no response is sent.
3. The request is received by the slave with a parity, CRC or LRC error.
The slave ignores the request and sends no response.
4. The request is received without an error, but cannot be processed by the slave for another
reason. The slave replies with an exception response.
In a normal response, the slave echoes the function code. The first sign of an exception response
is that the function code is shown in the echo with its highest bit set. All function codes have 0

for their most significant bit. Therefore, setting this bit to 1 is the signal that the slave cannot
process the request.
Function Code in Request

Function Code in Exception Response

01 (01 hex) 0000 0001

129 (81 hex) 1000 0001

02 (02 hex) 0000 0010

130 (82 hex) 1000 0010

03 (03 hex) 0000 0011

131 (83 hex) 1000 0011

04 (04 hex) 0000 0100

132 (84 hex) 1000 0100

05 (05 hex) 0000 0101

133 (85 hex) 1000 0101

06 (06 hex) 0000 0110

134 (86 hex) 1000 0110

15 (0F hex) 0000 1111

143 (8F hex) 1000 1111

16 (10 hex) 0001 0000

144 (90 hex) 1001 0000

Here is an example of a request with an Exception Response:

Request
This command is requesting the ON/OFF status of discrete coil #1186
from the slave device with address 10.
0A 01 04A1 0001 AC63
0A: The Slave Address (10 = 0A hex)
01: The Function Code (read Coil Status)
04A1: The Data Address of the first coil to read. (Coil 1186 - 1 = 1185 = 04A1 hex)
0001: The total number of coils requested.
AC63: The CRC (cyclic redundancy check) for error checking.
Response
0A 81 02 B053
0A: The Slave Address (10 = 0A hex)
81: The Function Code (read Coil Status - with the highest bit set)
02: The Exception Code
B053: The CRC (cyclic redundancy check).
Following the Function Code is the Exception Code. The exception code gives an indication of
the nature of the problem. The possible codes are shown in the table below.
The exception code shown above 02 is an indication that coil #1186 is an illegal address in the
slave. This coil has not been defined in the slave's modbus map.

The exception codes as explained in the Modbus specification are:

Exception
Code

01
(01 hex)

02
(02 hex)

03
(03 hex)

04
(04 hex)

Name

Meaning

Illegal
Function

The function code received in the query is not an allowable

action for the slave. This may be because the function code is
only applicable to newer devices, and was not implemented in
the unit selected. It could also indicate that the slave is in the
wrong state to process a request of this type, for example
because it is unconfigured and is being asked to return register
values. If a Poll Program Complete command was issued, this
code indicates that no program function preceded it.

Illegal Data
Address

The data address received in the query is not an allowable

address for the slave. More specifically, the combination of
reference number and transfer length is invalid. For a controller
with 100 registers, a request with offset 96 and length 4 would
succeed, a request with offset 96 and length 5 will generate
exception 02.

A value contained in the query data field is not an allowable

value for the slave. This indicates a fault in the structure of
remainder of a complex request, such as that the implied length
is incorrect. It specifically does NOT mean that a data item
Illegal Data Value
submitted for storage in a register has a value outside the
expectation of the application program, since the MODBUS
protocol is unaware of the significance of any particular value
of any particular register.
Slave Device
Failure

An unrecoverable error occurred while the slave was attempting

to perform the requested action.

05
(05 hex)

Acknowledge

Specialized use in conjunction with programming commands.

The slave has accepted the request and is processing it, but a
long duration of time will be required to do so. This response is
returned to prevent a timeout error from occurring in the master.
The master can next issue a Poll Program Complete message to
determine if processing is completed.

06
(06 hex)

Slave Device
Busy

Specialized use in conjunction with programming commands.

The slave is engaged in processing a long-duration program
command. The master should retransmit the message later
when the slave is free..

07
(07 hex)

Negative
Acknowledge

The slave cannot perform the program function received in the

query. This code is returned for an unsuccessful programming
request using function code 13 or 14 decimal. The master
should request diagnostic or error information from the slave.

08

Memory Parity

Specialized use in conjunction with function codes 20 and 21

(08 hex)

Error

and reference type 6, to indicate that the extended file area

failed to pass a consistency check.
The slave attempted to read extended memory or record file, but
detected a parity error in memory. The master can retry the
request, but service may be required on the slave device.

10
(0A hex)

Gateway Path
Unavailable

Specialized use in conjunction with gateways, indicates that the

gateway was unable to allocate an internal communication path
from the input port to the output port for processing the request.
Usually means the gateway is misconfigured or overloaded.

11
(0B hex)

Gateway Target Specialized use in conjunction with gateways, indicates that no

Device Failed to response was obtained from the target device. Usually means
Respond
that the device is not present on the network.

Frequently Asked Questions

What is Modbus?
Modbus is a serial communication protocol developed by Modicon published by Modicon in
1979 for use with its programmable logic controllers (PLCs). In simple terms, it is a method used
for transmitting information over serial lines between electronic devices. The device requesting
the information is called the Modbus Master and the devices supplying information are Modbus
Slaves. In a standard Modbus network, there is one Master and up to 247 Slaves, each with a
unique Slave Address from 1 to 247. The Master can also write information to the Slaves.
The official Modbus specification can be found at www.modbus.org/specs.php .
What is it used for?
Modbus is an open protocol, meaning that it's free for manufacturers to build into their
equipment without having to pay royalties. It has become a standard communications protocol in
industry, and is now the most commonly available means of connecting industrial electronic
devices. It is used widely by many manufacturers throughout many industries. Modbus is
typically used to transmit signals from instrumentation and control devices back to a main
controller or data gathering system, for example a system that measures temperature and
humidity and communicates the results to a computer. Modbus is often used to connect a
supervisory computer with a remote terminal unit (RTU) in supervisory control and data
acquisition (SCADA) systems. Versions of the Modbus protocol exist for serial lines (Modbus
RTU and Modbus ASCII) and for Ethernet (Modbus TCP).
How does it work?

Modbus is transmitted over serial lines between devices. The simplest setup would be a single
serial cable connecting the serial ports on two devices, a Master and a Slave.

>
The data is sent as series of ones and zeroes called bits. Each bit is sent as a voltage. Zeroes are
sent as positive voltages and a ones as negative. The bits are sent very quickly. A typical
transmission speed is 9600 baud (bits per second).
What is hexadecimal?
When troubleshooting problems, it can be helpful to see the actual raw data being transmitted.
Long strings of ones and zeroes are difficult to read, so the bits are combined and shown in
hexadecimal. Each block of 4 bits is represented by one of the sixteen characters from 0 to F.
0000 = 0

0100 = 4

1000 = 8

1100 = C

0001 = 1

0101 = 5

1001 = 9

1101 = D

0010 = 2

0110 = 6

1010 = A

1110 = E

0011 = 3

0111 = 7

1011 = B

1111 = F

Each block of 8 bits (called a byte) is represented by one of the 256 character pairs from 00 to
FF.
How is data stored in Standard Modbus?
Information is stored in the Slave device in four different tables.
Two tables store on/off discrete values (coils) and two store numerical values (registers). The
coils and registers each have a read-only table and read-write table.
Each table has 9999 values.
Each coil or contact is 1 bit and assigned a data address between 0000 and 270E.
Each register is 1 word = 16 bits = 2 bytes and also has data address between 0000 and 270E.
Coil/Register Numbers

Data Addresses

Type

Table Name

1-9999

0000 to 270E

Read-Write

Discrete Output Coils

10001-19999

0000 to 270E

Read-Only

Discrete Input Contacts

30001-39999

0000 to 270E

Read-Only

Analog Input Registers

40001-49999

0000 to 270E

Read-Write

Analog Output Holding Registers

Coil/Register Numbers can be thought of as location names since they do not appear in the actual
messages. The Data Addresses are used in the messages.
For example, the first Holding Register, number 40001, has the Data Address 0000.
The difference between these two values is the offset.
Each table has a different offset. 1, 10001, 30001 and 40001.
What is the Slave ID?
Each slave in a network is assigned a unique unit address from 1 to 247. When the master
requests data, the first byte it sends is the Slave address. This way each slave knows after the first
byte whether or not to ignore the message.
What is a function code?
The second byte sent by the Master is the Function code. This number tells the slave which table
to access and whether to read from or write to the table.
Function Code

Action

Table Name

01 (01 hex)

Read

Discrete Output Coils

05 (05 hex)

Write single

Discrete Output Coil

15 (0F hex)

Write multiple

Discrete Output Coils

02 (02 hex)

Read

Discrete Input Contacts

04 (04 hex)

Read

Analog Input Registers

03 (03 hex)

Read

Analog Output Holding Registers

06 (06 hex)

Write single

Analog Output Holding Register

16 (10 hex)

Write multiple

Analog Output Holding Registers

What is a CRC?
CRC stands for Cyclic Redundancy check. It is two bytes added to the end of every modbus
message for error detection. Every byte in the message is used to calculate the CRC. The
receiving device also calculates the CRC and compares it to the CRC from the sending device. If
even one bit in the message is received incorrectly, the CRCs will be different and an error will
result.
Here is a spreadsheet CRC calculator for messages up to 16 bytes.
To download a copy, right click and select Save Target As...
What are the formats of Modbus commands and responses?

Follow the links in this table to see examples of the requests and responses.
Data Addresses

Read

Write Single

Write Multiple

Discrete Output Coils 0xxxx

FC01

FC05

FC15

Discrete Input Contacts 1xxxx

FC02

NA

NA

Analog Input Registers 3xxxx

FC04

NA

NA

Analog Output Holding Registers 4xxxx

FC03

FC06

FC16

What are data types?

The example for FC03 shows that register 40108 contains AE41
which converts to the 16 bits 1010 1110 0100 0001
Great! But what does it mean? Well, it could mean a few things.
Register 40108 could be defined as any of these 16-bit data types:
A 16-bit unsigned integer (a whole number between 0 and 65535)
register 40108 contains AE41 = 44,609 (hex to decimal conversion)
A 16-bit signed integer (a whole number between -32768 and 32767)
AE41 = -20,927
(hex to decimal conversion that wraps, if its over 32767 then subtract 65536)
A two character ASCII string (2 typed letters)
AE41 = A
A discrete on/off value (this works the same as 16-bit integers with a value of 0 or 1.
The hex data would be 0000 or 0001)
Register 40108 could also be combined with 40109 to form any of these 32-bit data types:
A 32-bit unsigned integer (a number between 0 and 4,294,967,295)
40108,40109 = AE41 5652 = 2,923,517,522
A 32-bit signed integer (a number between -2,147,483,648 and 2,147,483,647)
AE41 5652 = -1,371,449,774
A 32-bit single precision IEEE floating point number.
This is a mathematical formula that allows any real number (a number with decimal
points) to represented by 32 bits with an accuracy of about seven digits.
AE41 5652 = -4.395978 E-11
Here is a spreadsheet IEEE float calculator for inputs of 4 bytes or 2 words.
To download a copy, right click and select Save Target As...

A four character ASCII string (4 typed letters)

AE41 5652 = A V R
More registers can be combined to form longer ASCII strings. Each register being used to store
two ASCII characters (two bytes).
What is byte and word ordering?
The Modbus specification doesn't define exactly how the data is stored in the registers.
Therefore, some manufacturers implemented modbus in their equipment to store and transmit the
higher byte first followed by the lower byte. (AE before 41).
Alternatively, others store and transmit the lower byte first (41 before AE).
Similarly, when registers are combined to represent 32-bit data types, Some devices store the
higher 16 bits (high word) in the first register and the remaining low word in the second (AE41
before 5652) while others do the opposite (5652 before AE41)
It doesn't matter which order the bytes or words are sent in, as long as the receiving device
knows which way to expect it.
For example, if the number 2,923,517,522 was to be sent as a 32 bit unsigned integer, it could be
arranged any of these four ways.
AE41
5652
41AE
5256

5652
AE41
5256
41AE

high byte first

high byte first
low byte first
low byte first

high word first

low word first
high word first
low word first

What is a Modbus Map?

A modbus map is simply a list for an individual slave device that defines
- what the data is (eg. pressure or temperature readings)
- where the data is stored (which tables and data addresses)
- how the data is stored (data types, byte and word ordering)
Some devices are built with a fixed map that is defined by the manufacturer. While other devices
allow the operator to configure or program a custom map to fit their needs.
What is the difference between Modbus ASCII and Modbus RTU?
The difference between these two modes is explained here.
What are extended register addresses?

Since the range of the analog output holding registers is 40001 to 49999, it implies that there
cannot be more than 9999 registers. Although this is usually enough for most applications, there
are cases where more registers would be beneficial.
Registers 40001 to 49999 correspond to data addresses 0000 to 270E. If we utilize the
remaining data addresses 270F to FFFF, over six times as many registers can be available,
65536 in total. This would correspond to register numbers from 40001 to 105536.
Many modbus software drivers (for Master PCs) were written with the 40001 to 49999 limits and
cannot access extended registers in slave devices. And many slave devices do not support maps
using the extended registers. But on the other hand, some slave devices do support these registers
and some Master software can access it, especially if custom software is written.
How does 2-byte slave addressing work?
Since a single byte is normally used to define the slave address and each slave on a network
requires a unique address, the number of slaves on a network is limited to 256. The limit defined
in the modbus specification is even lower at 247.
To get beyond this limit, a modification can be made to the protocol to use two bytes for the
address. The master and the slaves would all be required to support this modification. Two byte
addressing extends the limit on the number of slaves in a network to 65535.
By default, the Simply Modbus software uses 1 byte addressing. When an address greater than
255 is entered, the software automatically switches to 2 byte addressing and stays in this mode
for all addresses until the 2 byte addressing is manually turned off.
How can you send events and historical data?
Enron Modbus includes commands for moving events and historical data..
What is Enron Modbus?
Enron Modbus is a modification to the standard Modicon modbus communication protocol
developed by Enron Corporation.
See Enron Modbus for details.