Most SCADA Integrators and users of modbus are familiar with the X0001 format for modbus registers, However, the true modbus standard is not simply one number it is a function code + register number. Specific devices treat the function codes differently on the front-end. The back end will interpret the 40000 registers as a function code/register.
This post will describe the standard and how the mapping between the X0000 registers and the functioncode/registers generally work.
Artistic Freedom
Modbus device developers will have their own idiosyncrasies when designing their modbus device
- Some devices will have the 3xxxx registers as input registers and the 4xxxx registers as holding registers
- Some devices will have the 4xxxx registers as input registers and the 3xxxx registers as holding registers
- Some devices will simplify the registers and integrate both 30000 and 40000 registers into one (usually 40000).
A typical register map for a modbus device could look something like this:
Coil Register 1: 00001
Status Register 1 : 10001
Holding Register 1: 40001
Input Register 1: 30001
Modbus Packets
Read Coil (Digital Output Registers) Function Code 1
Coil packets are generally represented as 0-10000, Coil 1 is 00001 while the Function Code representation is 1,1
Read Coil Request Packet
| Description | Address | Function Code | Initial Coil Offset | Number Of Points | CRC |
| Size (in bytes) | 1 | 1 | 2 | 2 | 2 |
| Example (hex) | 01 | 01 | 00 0A | 00 02 | 9D C9 |
Read Coil Response Packet
| Description | Address | Function Code | Byte Count | Coil Data | CRC |
| Size (in bytes) | 1 | 1 | 1 | Number of Points | 2 |
| Example (hex) | 01 | 01 | 01 | 03 | 11 89 |
Read Digital Input Status Function Code 2
Digital Input packets are generally represented as 10000-19999, DI1 is 00001 while the Function Code representation is 2,1
Read Input Request Packet
| Description | Address | Function Code | Initial Coil Offset | Number Of Points | CRC |
| Size (in bytes) | 1 | 1 | 2 | 2 | 2 |
| Example (hex) | 01 | 02 | 00 00 | 00 02 | F9 CB |
Read Input Response Packet
| Description | Address | Function Code | Byte Count | Input Data | CRC |
| Size (in bytes) | 1 | 1 | 1 | Number Of Points | 2 |
| Example (hex) | 01 | 02 | 01 | 02 | 20 49 |
Read Holding Registers Function Code 3
Holding Registers are generally represented with the 40000-50000 registers, register 40001 is 3,1
Read Input Request Packet
| Description | Address | Function Code | Initial Coil Offset | Number Of Points | CRC |
| Size (in bytes) | 1 | 1 | 2 | 2 | 2 |
| Example (hex) | 01 | 03 | 00 02 | 00 01 | 25 CA |
Read Input Response Packet
| Description | Address | Function Code | Byte Count | Input Data | CRC |
| Size (in bytes) | 1 | 1 | 1 | Number of Points X2 | 2 |
| Example (hex) | 01 | 03 | 02 | 07 FF | FA 34 |
Read Input Registers Function Code 4
Input Registers are generally represented with the 30000-49999 registers, register 30001 is 4,1.
Read Input Request Packet
| Description | Address | Function Code | Initial Coil Offset | Number Of Points | CRC |
| Size (in bytes) | 1 | 1 | 2 | 2 | 2 |
| Example (hex) | 01 | 04 | 00 00 | 00 01 | 31 CA |
Read Input Response Packet
| Description | Address | Function Code | Byte Count | Input Data | CRC |
| Size (in bytes) | 1 | 1 | 1 | Number of Points X2 | 2 |
| Example (hex) | 01 | 04 | 02 | 03 FF | F9 80 |
