Function code descriptions
FC 3 (03h) Read Input Registers / FC 4 (04h) Read Holding Registers
With this function code, one 16-bit value or multiple 16-bit values can be read. This function can be applied to NanoJ objects (see NanoJ objects) or process data objects (min. 4-byte alignment, see Process data objects (PDO)).
| Request | ||
|---|---|---|
| Name | Length | Value |
| Transaction Identifier | 2 bytes | 0000h |
| Protocol Identifier | 2 bytes | 0000h |
| Length | 2 bytes | 0006h |
| Unit Identifier | 1 byte | 00h |
| Function code | 1 byte | 03h / 04h |
| Start address | 2 bytes | 0000h to FFFFh |
| Number of registers | 2 bytes | 1 to (7Dh) |
| Response ("M" corresponds to the number of registers to be read) | ||
|---|---|---|
| Name | Length | Value |
| Transaction Identifier | 2 bytes | 0000h |
| Protocol Identifier | 2 bytes | 0000h |
| Length | 2 bytes | 0003h + 2*M |
| Unit Identifier | 1 byte | 00h |
| Function code | 1 byte | 03h / 04h |
| Number of bytes | 1 byte | 2 * M |
| Register value | 2 bytes | |
| Error | ||
|---|---|---|
| Name | Length | Value |
| Transaction Identifier | 2 bytes | 0000h |
| Protocol Identifier | 2 bytes | 0000h |
| Length | 2 bytes | 0003h |
| Unit Identifier | 1 byte | 00h |
| Error code | 1 byte | 83h / 84h |
| Exception code (see Exception codes) | 1 byte | 01, 02, 03 or 04 |
|
Example |
|
|
Below is an example of a read request and response of register 5000 (1388h) and of the following register (2 registers):
|
|
FC 6 (06h) Write Single Register
This function code can be used to write a single 16-bit value. The function can be used on process data objects (see Process data objects (PDO)).
| Request | ||
|---|---|---|
| Name | Length | Value |
| Transaction Identifier | 2 bytes | 0000h |
| Protocol Identifier | 2 bytes | 0000h |
| Length | 2 bytes | 0006h |
| Unit Identifier | 1 byte | 00h |
| Function code | 1 byte | 06h |
| Register address | 2 bytes | 0000h to FFFFh |
| Register value | 2 bytes | 0000h to FFFFh |
| Response | ||
|---|---|---|
| Name | Length | Value |
| Transaction Identifier | 2 bytes | 0000h |
| Protocol Identifier | 2 bytes | 0000h |
| Length | 2 bytes | 0006h |
| Unit Identifier | 1 byte | 00h |
| Function code | 1 byte | 06h |
| Register address | 2 bytes | 0000h to FFFFh |
| Register value | 2 bytes | 0000h to FFFFh |
| Error | ||
|---|---|---|
| Name | Length | Value |
| Transaction Identifier | 2 bytes | 0000h |
| Protocol Identifier | 2 bytes | 0000h |
| Length | 2 bytes | 0003h |
| Unit Identifier | 1 byte | 00h |
| Error code | 1 byte | 86h |
| Exception code (see Exception codes) | 1 byte | 01, 02, 03 or 04 |
|
Example |
|
|
Below is an example of a write request and response in register 6000 (1770h) with the value "0001h":
|
|
FC 16 (10h) Write Multiple Registers
With this function code, one 16-bit value or multiple 16-bit values can be written. The function can be applied to NanoJ objects (see Process data objects (PDO)) or process data objects (see NanoJ objects).
| Request ("N" is the number of registers to be written) | ||
|---|---|---|
| Name | Length | Value |
| Transaction Identifier | 2 bytes | 0000h |
| Protocol Identifier | 2 bytes | 0000h |
| Length | 2 bytes | 0007h + N * 2 |
| Unit Identifier | 1 byte | 00h |
| Function code | 1 byte | 10h |
| Start address | 2 bytes | 0000h to FFFFh |
| Number of registers | 2 bytes | 0001h to 007Bh |
| Number of bytes | 1 byte | 2 * N |
| Register value | N * 2 bytes | |
| Response | ||
|---|---|---|
| Name | Length | Value |
| Transaction Identifier | 2 bytes | 0000h |
| Protocol Identifier | 2 bytes | 0000h |
| Length | 2 bytes | 0006h |
| Unit Identifier | 1 byte | 00h |
| Function code | 1 byte | 10h |
| Start address | 2 bytes | 0000h to FFFFh |
| Number of registers | 2 bytes | 0001h to 007Bh |
| Error | ||
|---|---|---|
| Name | Length | Value |
| Transaction Identifier | 2 bytes | 0000h |
| Protocol Identifier | 2 bytes | 0000h |
| Length | 2 bytes | 0003h |
| Unit Identifier | 1 byte | 00h |
| Error code | 1 byte | 90h |
| Exception code (see Exception codes) | 1 byte | 01, 02, 03 or 04 |
|
Example |
|
|
Below is an example for writing values "0102h" and "0304h" starting with register address 6000 (1770h), number of registers is 2, length of the data is 4:
|
|
FC 23 (17h) Read/Write Multiple registers
With this function code, one 16-bit value or multiple 16-bit values can be simultaneously read and written. The function can be applied to NanoJ objects (see Process data objects (PDO)) or process data objects (see NanoJ objects).
| Request ("N" is the number of registers to be read): | ||
|---|---|---|
| Name | Length | Value |
| Transaction Identifier | 2 bytes | 0000h |
| Protocol Identifier | 2 bytes | 0000h |
| Length | 2 bytes | 000Bh + 2 * N |
| Unit Identifier | 1 byte | 00h |
| Function code | 1 byte | 17h |
| Read: Start address | 2 bytes | 0000h to FFFFh |
| Read: Number of registers | 2 bytes | 0001h to 0079h |
| Write: Start address | 2 bytes | 0000h to FFFFh |
| Write: Number of registers | 2 bytes | 0001h to 0079h |
| Write: Number of bytes | 1 byte | 2 * N |
| Write: Register value | N * 2 bytes | |
| Response ("M" corresponds to the number of bytes to be written): | ||
|---|---|---|
| Name | Length | Value |
| Transaction Identifier | 2 bytes | 0000h |
| Protocol Identifier | 2 bytes | 0000h |
| Length | 2 bytes | 0003h + 2 * M |
| Unit Identifier | 1 byte | 00h |
| Function code | 1 byte | 17h |
| Number of bytes | 1 byte | 2 * M |
| Registers read | M * 2 bytes | |
| Error | ||
|---|---|---|
| Name | Length | Value |
| Transaction Identifier | 2 bytes | 0000h |
| Protocol Identifier | 2 bytes | 0000h |
| Length | 2 bytes | 0003h |
| Unit Identifier | 1 byte | 00h |
| Error code | 1 byte | 97h |
| Exception code (see Exception codes) | 1 byte | 01, 02, 03 or 04 |
|
Example |
|
|
Below is an example for reading two registers beginning with register 5000 (1388h) and for writing two registers beginning with register 6000 (1770h) with 4 bytes and data "0102h" and "0304h":
|
|
FC 43 (2Bh) Encapsulated Interface Transport
This function facilitates simple access of the CANopen object dictionary. Further details can be found in the following documentation:
- MODBUS APPLICATION PROTOCOL SPECIFICATION V1.1b3, Date: 26.04.2014, Version: 1.1b3
- CiA 309 Draft Standard Proposal - Access from other networks - Part 2: Modbus/TCP mapping V1.3, Date: 30.07.2015, Version: 1.3
Definition of the request and response:
| Name | Length | Example/number range |
|---|---|---|
| Transaction Identifier | 2 bytes | 0000h |
| Protocol Identifier | 2 bytes | 0000h |
| Length | 2 bytes | 00NNh |
| Unit Identifier | 1 byte | 00h |
| Function code | 1 byte | 2Bh (43d) |
| MEI type | 1 byte | 0Dh (13d) |
| Protocol options Range | 2 to 5 bytes | |
| Address and data range | N bytes |
Protocol options Range
| Name | Length | Example/number range |
|---|---|---|
| Protocol control | 1 to 2 bytes | See description |
| Reserved | 1 byte | Always 0 |
| (Optional) Counter byte | 1 byte | |
| (Optional) Network ID | 1 byte | |
| (Optional) Encoded data | 1 byte |
Protocol control:
The "Protocol control" field contains the flags that are needed for controlling the message protocols. The bytes of the "Protocol control" field are defined as follows if the "extended" flag was set (the second byte is otherwise omitted):
The most significant bit (MSB) is bit 0 for "protocol control" byte 1 and bit 8 for "protocol control" byte 2. The least significant bit (LSB) is bit 7 for "protocol control" byte 1 and bit 15 for "protocol control" byte 2.
| Bit | Name | Description |
|---|---|---|
| 0 | "Extended" flag | This bit is used if the object dictionary data set is larger than would fit in a Modbus command. The data set then spans over multiple Modbus messages; each message contains part of the data set. "0" = No multiple message transaction or the end of the multiple message transaction. "1" = Part of a multiple message transaction. |
| 1 | Extended protocol control | Length of the protocol control, the value "0" indicates a length of 1 byte, the value "1" indicates a length of 2 bytes. |
| 2 | Counter byte option | This bit is set to "1" to indicate that the "counter byte" field is used in this message. If this bit is set to "0", the "counter byte" field does not exist in this message. |
| 3 and 4 | Reserved | 0 |
| 5 | Network ID option | Not supported, must be "0". |
| 6 | Encoded data option | Not supported, must be "0". |
| 7 | Access flag | This bit indicates the access method of the requested command. "0" = read, "1" = write. |
| 8 to 15 | Reserved | 0 |
Address and data range
The address and data range is defined in the following table:
| Name | Byte size and byte order | Example / range |
|---|---|---|
| Node-ID | 1 byte | 01h to 7Fh |
| Index | 1 byte, high | 0000h to FFFFh |
| 1 byte, low | ||
| Subindex | 1 byte | 00h to FFh |
| Start address | 1 byte, high | 0000h to FFFFh |
| 1 byte, low | ||
| Number of data values | 1 byte, high | 0000h to 00FDh |
| 1 byte, low | ||
| Write/read data | n bytes | The data are encoded as described in chapter General. |
Example:
To read object 6042h:00h (16-bit value), the following message must be sent by the master (all values are in hexadecimal notation).
- Request
- Response
Shown as an additional example below, a sequence of Modbus messages is sent from the master to the slave to rotate the motor in "Velocity" mode:
Below are two examples for reading an object:
Error reaction
In the event of an error, the following error message is sent:
| Name | Length | Example value |
|---|---|---|
| Transaction Identifier | 2 bytes | 0000h |
| Protocol Identifier | 2 bytes | 0000h |
| Length | 2 bytes | 000Bh |
| Unit Identifier | 1 byte | 00h |
| Function code | 1 byte | 2Bh +80h (171d = 43d + 128d) (indicates error) |
| Modbus exception code | 1 byte | FFh ("extended exception") |
| Extended exception length | 2 bytes | 6 |
| MEI type | 1 byte | 0Dh |
| Exception code | 1 byte | CEh |
| Error code | 4 bytes | CANopen error code, see following table |
| CANopen error code | Description |
|---|---|
| FFFF0000h | Abort no error |
| FFFF1003h | Service is not supported |
| FFFF1004h | Gap in counter byte of the Protocol control field |
| FFFF0003h | Unknown or invalid command |
| FFFF0008h | Access to the object is not supported |
| FFFF000Eh | General error in the parameter |
| FFFF0011h | Length of parameter incorrect |
| FFFF0012h | Parameter too long |
| FFFF0013h | Parameter too short |
| FFFF0015h | Parameter data outside of the permissible value range (for write commands) |
| FFFF0016h | Parameter data exceed the permissible value range (for write commands) |
| FFFF0017h | Parameter data below the permissible value range (for write commands) |
| FFFF0018h | Maximum entered values less than minimum values |
| FFFF0019h | General error |
| FFFF001Eh | Requested object is too large for single message |
| FFFF1004h | Invalid sequence of messages (e. g., if the value of the counter byte is not correct according to the previous request or response) |
In the event that the unsupported control option bit is set, the following error message is sent:
| Name | Length | Example value |
|---|---|---|
| Transaction Identifier | 2 bytes | 0000h |
| Protocol Identifier | 2 bytes | 0000h |
| Length | 2 bytes | 0008/0009h |
| Unit Identifier | 1 byte | 00h |
| Function code | 1 byte | 2Bh +80h (171d = 43d + 128d) (indicates error) |
| Modbus exception code | 1 byte | FFh ("extended exception") |
| Extended exception length | 2 bytes | 2 + length of "supported protocol control" |
| MEI type | 1 byte | 0Dh |
| Exception code | 1 byte | AEh |
| Supported protocol control | 1 or 2 bytes | See following table |
| Bit | Name | Description |
|---|---|---|
| 0 | "Extended" flag | This bit is used if the object dictionary data set is larger than would fit in a Modbus command. The data set then spans over multiple Modbus messages; each message contains part of the data set. "0" = No multiple message transaction or the end of the multiple message transaction. "1" = Part of a multiple message transaction. |
| 1 | Extended protocol control | Length of the protocol control, the value "0" indicates a length of 1 byte, the value "1" indicates a length of 2 bytes. |
| 2 | Counter byte option | This bit is set to "1" to indicate that the "counter byte" field is used in this message. If this bit is set to "0", the "counter byte" field does not exist in this message. |
| 3 and 4 | Reserved | 0 |
| 5 | Network ID option | Not supported, must be "0". |
| 6 | Encoded data option | Not supported, must be "0". |
| 7 | Access flag | This bit indicates the access method of the requested command. "0" = read, "1" = write. |
| 8 to 15 | Reserved | 0 |
The following example shows an error in the event of a faulty request. The request reads 6061h:00 with a length of 2 bytes, but the object has a size of just 1 byte:
- Request
- Response
FC 101 (65h) Read complete object dictionary
This function code is used to read out the complete object dictionary.
To start or restart the reading out of the object dictionary, subfunction code 55h must be sent. This code resets reading out of the object dictionary on object 0000h. All subsequent object dictionary frames must then contain subfunction code AAh. At the end, once all objects have been read out, an "Error Response" is generated with the abort code "No data available".
The format of each "read object" is as follows:
| Name | Length | Value / note |
|---|---|---|
| Slave address | 1 byte | |
| Function code | 1 byte | 65h |
| Subfunction code | 1 byte | 55h or AAh |
| Length of the data | 1 byte | 00h |
| CRC | 2 bytes |
| Name | Length | Value / note |
|---|---|---|
| Slave address | 1 byte | 65h |
| Function code | 1 byte | |
| Subfunction code | 1 byte | |
| Length of the data | 1 byte | |
| n times "object dictionary frame" | 1 - 252 bytes | |
| CRC | 2 bytes |
| Name | Value / note | |
|---|---|---|
| Index Low Byte | 1 byte | |
| Index High Byte | 1 byte | |
| Subindex | 1 byte | |
| Number of bytes | 1 byte | Number m of the valid data in the data field |
| Data byte | m-1 byte |
Example
All of the following numerical values are in hexadecimal format.
Start reading of the object dictionary with request:
The response is:
Read out the next part of the object dictionary with the request:
The response is:
Repeat reading of the object dictionary with the previous request until the response is an error:
Error reaction
In the event of an error, the following error message is sent:
| Name | Length | Example value |
|---|---|---|
| Transaction Identifier | 2 bytes | 0000h |
| Protocol Identifier | 2 bytes | 0000h |
| Length | 2 bytes | 000Bh |
| Unit Identifier | 1 byte | 00h |
| Function code | 1 byte | 2Bh +80h (171d = 43d + 128d) (indicates error) |
| Modbus exception code | 1 byte | FFh ("extended exception") |
| Extended exception length | 2 bytes | 6 |
| MEI type | 1 byte | 0Dh |
| Exception code | 1 byte | CEh |
| Error code | 4 bytes | CANopen error code, see following table |
| CANopen error code | Description |
|---|---|
| FFFF0000h | Abort no error |
| FFFF1003h | Service is not supported |
| FFFF1004h | Gap in counter byte of the Protocol control field |
| FFFF0003h | Unknown or invalid command |
| FFFF0008h | Access to the object is not supported |
| FFFF000Eh | General error in the parameter |
| FFFF0011h | Length of parameter incorrect |
| FFFF0012h | Parameter too long |
| FFFF0013h | Parameter too short |
| FFFF0015h | Parameter data outside of the permissible value range (for write commands) |
| FFFF0016h | Parameter data exceed the permissible value range (for write commands) |
| FFFF0017h | Parameter data below the permissible value range (for write commands) |
| FFFF0018h | Maximum entered values less than minimum values |
| FFFF0019h | General error |
| FFFF001Eh | Requested object is too large for single message |
| FFFF1004h | Invalid sequence of messages (e. g., if the value of the counter byte is not correct according to the previous request or response) |
In the event that the unsupported control option bit is set, the following error message is sent:
| Name | Length | Example value |
|---|---|---|
| Transaction Identifier | 2 bytes | 0000h |
| Protocol Identifier | 2 bytes | 0000h |
| Length | 2 bytes | 0008/0009h |
| Unit Identifier | 1 byte | 00h |
| Function code | 1 byte | 2Bh +80h (171d = 43d + 128d) (indicates error) |
| Modbus exception code | 1 byte | FFh ("extended exception") |
| Extended exception length | 2 bytes | 2 + length of "supported protocol control" |
| MEI type | 1 byte | 0Dh |
| Exception code | 1 byte | AEh |
| Supported protocol control | 1 or 2 bytes | See following table |
| Bit | Name | Description |
|---|---|---|
| 0 | "Extended" flag | This bit is used if the object dictionary data set is larger than would fit in a Modbus command. The data set then spans over multiple Modbus messages; each message contains part of the data set. "0" = No multiple message transaction or the end of the multiple message transaction. "1" = Part of a multiple message transaction. |
| 1 | Extended protocol control | Length of the protocol control, the value "0" indicates a length of 1 byte, the value "1" indicates a length of 2 bytes. |
| 2 | Counter byte option | This bit is set to "1" to indicate that the "counter byte" field is used in this message. If this bit is set to "0", the "counter byte" field does not exist in this message. |
| 3 and 4 | Reserved | 0 |
| 5 | Network ID option | Not supported, must be "0". |
| 6 | Encoded data option | Not supported, must be "0". |
| 7 | Access flag | This bit indicates the access method of the requested command. "0" = read, "1" = write. |
| 8 to 15 | Reserved | 0 |
The following example shows an error in the event of a faulty request. The request reads 6061h:00 with a length of 2 bytes, but the object has a size of just 1 byte:
- Request
- Response
FC 102 (66h) Read complete array or record
This function code is used to read out the complete array or record from the object dictionary.
To start or restart the reading out of the array, subfunction code 55h must be sent. This code resets reading out on the object with subindex 00h. All subsequent requests must then contain subfunction code AAh. At the end, once all objects have been read out, an "Error Response" is generated.
The format of each "read object" is as follows:
| Name | Length | Value / note |
|---|---|---|
| Transaction Identifier | 2 bytes | 0000h |
| Protocol Identifier | 2 bytes | 0000h |
| Length | 2 bytes | 0007h |
| Unit Identifier | 1 byte | 00h |
| Function code | 1 byte | 66h |
| Subfunction code | 1 byte | 55h or AAh |
| Length of the data | 1 byte | 00h |
| Index of the array to be read | 2 bytes |
| Name | Length | Value / note |
|---|---|---|
| Transaction Identifier | 2 bytes | 0000h |
| Protocol Identifier | 2 bytes | 0000h |
| Length | 2 bytes | 0004h+n |
| Unit Identifier | 1 byte | 00h |
| Function code | 1 byte | |
| Subfunction code | 1 byte | |
| Length of the data | 1 byte | |
| n times object dictionary frame | 1 - 252 bytes |
| Name | Value / note | |
|---|---|---|
| Index Low Byte | 1 byte | |
| Index High Byte | 1 byte | |
| Subindex | 1 byte | |
| Number of bytes | 1 byte | Number m of the valid data in the data field |
| Data byte | m-1 byte |
Example
All of the following numerical values are in hexadecimal format; the index of the object that is to be read is 2400h.
Start reading of the array with request:
The response is:
Error reaction
In the event of an error, the following error message is sent:
| Name | Length | Example value |
|---|---|---|
| Transaction Identifier | 2 bytes | 0000h |
| Protocol Identifier | 2 bytes | 0000h |
| Length | 2 bytes | 000Bh |
| Unit Identifier | 1 byte | 00h |
| Function code | 1 byte | 2Bh +80h (171d = 43d + 128d) (indicates error) |
| Modbus exception code | 1 byte | FFh ("extended exception") |
| Extended exception length | 2 bytes | 6 |
| MEI type | 1 byte | 0Dh |
| Exception code | 1 byte | CEh |
| Error code | 4 bytes | CANopen error code, see following table |
| CANopen error code | Description |
|---|---|
| FFFF0000h | Abort no error |
| FFFF1003h | Service is not supported |
| FFFF1004h | Gap in counter byte of the Protocol control field |
| FFFF0003h | Unknown or invalid command |
| FFFF0008h | Access to the object is not supported |
| FFFF000Eh | General error in the parameter |
| FFFF0011h | Length of parameter incorrect |
| FFFF0012h | Parameter too long |
| FFFF0013h | Parameter too short |
| FFFF0015h | Parameter data outside of the permissible value range (for write commands) |
| FFFF0016h | Parameter data exceed the permissible value range (for write commands) |
| FFFF0017h | Parameter data below the permissible value range (for write commands) |
| FFFF0018h | Maximum entered values less than minimum values |
| FFFF0019h | General error |
| FFFF001Eh | Requested object is too large for single message |
| FFFF1004h | Invalid sequence of messages (e. g., if the value of the counter byte is not correct according to the previous request or response) |
In the event that the unsupported control option bit is set, the following error message is sent:
| Name | Length | Example value |
|---|---|---|
| Transaction Identifier | 2 bytes | 0000h |
| Protocol Identifier | 2 bytes | 0000h |
| Length | 2 bytes | 0008/0009h |
| Unit Identifier | 1 byte | 00h |
| Function code | 1 byte | 2Bh +80h (171d = 43d + 128d) (indicates error) |
| Modbus exception code | 1 byte | FFh ("extended exception") |
| Extended exception length | 2 bytes | 2 + length of "supported protocol control" |
| MEI type | 1 byte | 0Dh |
| Exception code | 1 byte | AEh |
| Supported protocol control | 1 or 2 bytes | See following table |
| Bit | Name | Description |
|---|---|---|
| 0 | "Extended" flag | This bit is used if the object dictionary data set is larger than would fit in a Modbus command. The data set then spans over multiple Modbus messages; each message contains part of the data set. "0" = No multiple message transaction or the end of the multiple message transaction. "1" = Part of a multiple message transaction. |
| 1 | Extended protocol control | Length of the protocol control, the value "0" indicates a length of 1 byte, the value "1" indicates a length of 2 bytes. |
| 2 | Counter byte option | This bit is set to "1" to indicate that the "counter byte" field is used in this message. If this bit is set to "0", the "counter byte" field does not exist in this message. |
| 3 and 4 | Reserved | 0 |
| 5 | Network ID option | Not supported, must be "0". |
| 6 | Encoded data option | Not supported, must be "0". |
| 7 | Access flag | This bit indicates the access method of the requested command. "0" = read, "1" = write. |
| 8 to 15 | Reserved | 0 |
The following example shows an error in the event of a faulty request. The request reads 6061h:00 with a length of 2 bytes, but the object has a size of just 1 byte:
- Request
- Response
Exception codes
In case of an error, the following exception codes may be contained in the response depending on the function code:
| Code | Name | Description |
|---|---|---|
| 01 | Illegal Function | Function code not recognized/allowed |
| 02 | Illegal Data Address | Register address not valid or does not exist |
| 03 | Illegal Data Value | Value not valid |
| 04 | Device Failure | Unrecoverable error |
For further details, refer to Modbus specification MODBUS APPLICATION PROTOCOL SPECIFICATION V1.1b3.