Function code descriptions FC 3 (03h) Read Input Registers / FC 4 (04h) Read Holding Registers With this function code, one 16-bit value or multiple 16-bit values can be read. This function can be applied to NanoJ objects (see NanoJ objects) or process data objects (min. 4-byte alignment, see Process data objects (PDO)). Request Name Length Value Slave address 1 byte Function code 1 byte 03h / 04h Start address 2 bytes 0000h to FFFFh Number of registers 2 bytes 1 to (7Dh) CRC 2 bytes Response ("M" corresponds to the number of registers to be read) Name Length Value Slave address 1 byte Function code 1 byte 03h / 04h Number of bytes 1 byte 2 * M Register value 2 bytes CRC 2 bytes Error Name Length Value Slave address 1 byte Error code 1 byte 83h / 84h Exception code (see Exception codes) 1 byte 01, 02, 03 or 04 CRC 2 bytes Example Below is an example of a read request and response of register 5000 (1388h) and of the following register (2 registers): Request Response FC 6 (06h) Write Single Register This function code can be used to write a single 16-bit value. The function can be used on process data objects (see Process data objects (PDO)). Request Name Length Value Slave address 1 byte Function code 1 byte 06h Register address 2 bytes 0000h to FFFFh Register value 2 bytes 0000h to FFFFh CRC 2 bytes Response Name Length Value Slave address 1 byte Function code 1 byte 06h Register address 2 bytes 0000h to FFFFh Register value 2 bytes 0000h to FFFFh CRC 2 bytes Error Name Length Value Slave address 1 byte Error code 1 byte 86h Exception code (see Exception codes) 1 byte 01, 02, 03 or 04 CRC 2 bytes Example Below is an example of a write request and response in register 6000 (1770h) with the value "0001h": Request Response FC 16 (10h) Write Multiple Registers With this function code, one 16-bit value or multiple 16-bit values can be written. The function can be applied to NanoJ objects (see Process data objects (PDO)) or process data objects (see NanoJ objects). Request ("N" is the number of registers to be written) Name Length Value Slave address 1 byte Function code 1 byte 10h Start address 2 bytes 0000h to FFFFh Number of registers 2 bytes 0001h to 007Bh Number of bytes 1 byte 2 * N Register value N * 2 bytes CRC 2 bytes Response Name Length Value Slave address 1 byte Function code 1 byte 10h Start address 2 bytes 0000h to FFFFh Number of registers 2 bytes 0001h to 007Bh CRC 2 bytes Error Name Length Value Slave address 1 byte Error code 1 byte 90h Exception code (see Exception codes) 1 byte 01, 02, 03 or 04 CRC 2 bytes Example Below is an example for writing values "0102h" and "0304h" starting with register address 6000 (1770h), number of registers is 2, length of the data is 4: Request Response FC 17 (11h) Report Server ID This function code can be used to read the description of the type, the current status and other information about the device. Request Name Length Value Slave address 1 byte Function code 1 byte 11h CRC 2 bytes Response Name Length Value Slave address 1 byte Function code 1 byte 03h Number of bytes 1 byte 01h Run Indicator Status 1 byte 00h = OFF, FFh = ON Additional data CRC 2 bytes Error Name Length Value Slave address 1 byte Error code 1 byte 91h Exception code (see Exception codes) 1 byte 01 or 04 CRC 2 bytes Example Below is an example of a request/response for ID and status: Request Response FC 23 (17h) Read/Write Multiple registers With this function code, one 16-bit value or multiple 16-bit values can be simultaneously read and written. The function can be applied to NanoJ objects (see Process data objects (PDO)) or process data objects (see NanoJ objects). Request ("N" is the number of registers to be read): Name Length Value Slave address 1 byte Function code 1 byte 17h Read: Start address 2 bytes 0000h to FFFFh Read: Number of registers 2 bytes 0001h to 0079h Write: Start address 2 bytes 0000h to FFFFh Write: Number of registers 2 bytes 0001h to 0079h Write: Number of bytes 1 byte 2 * N Write: Register value N * 2 bytes CRC 2 bytes Response ("M" corresponds to the number of bytes to be written): Name Length Value Slave address 1 byte Function code 1 byte 17h Number of bytes 1 byte 2 * M Registers read M * 2 bytes CRC 2 bytes Error Name Length Value Slave address 1 byte Error code 1 byte 97h Exception code (see Exception codes) 1 byte 01, 02, 03 or 04 CRC 2 bytes Example Below is an example for reading two registers beginning with register 5000 (1388h) and for writing two registers beginning with register 6000 (1770h) with 4 bytes and data "0102h" and "0304h": Request Response FC 8 (08h) Diagnostics Modbus function code FC08 offers numerous tests for checking the communication system between client and server or for checking various internal error states within the server. This function uses a two-byte subfunction code in the request for defining the type of test. In a normal response, the server repeats both, the function and the subfunction code. Some diagnoses contain data of the device in the data field of the normal response. Request: Name Length Value Function code 1 byte 08h Subfunction code 2 bytes Data N x 2 bytes Response: Name Length Value Function code 1 byte 08h Subfunction code 2 bytes Data N x 2 bytes Error: Name Length Value Function code 1 byte 88h Exception code (see Exception codes) 1 byte 01 or 03 or 04 FC 8.10 (08h.0Ah) Clear Counters and Diagnostic Register The objective of this request is to reset all counters and diagnosis registers. Counters are also reset when the controller is switched on. Subfunction Data range Request Response 00h 0Ah 00h - 00h Echo of the request data Example Request Response FC 8.11 (08h.0Bh) Return Bus Message Count The response data range returns the number of messages detected by the communications system since the last restart, "Clear Counters and Diagnostic Register" request, or switching on of the controller. Subfunction Data range Request Response 00h 0Bh 00h - 00h Total Message Count FC 8.12 (08h.0Ch) Return Bus Communication Error Count The response data range returns the number of CRC errors since the last restart, "Clear Counters and Diagnostic Register" request, or switching on of the controller. Subfunction Data range Request Response 00h 0Ch 00h - 00h CRC Error Count Example Request Response FC 8.13 (08h.0Dh) Return Bus Exception Error Count The response data range returns the number of Modbus exceptions since the last restart, "Clear Counters and Diagnostic Register" request, or switching on of the controller. Subfunction Data range Request Response 00h 0Dh 00h - 00h Exception Error Count Example Request Response FC 8.14 (08h.0Eh) Return Server Message Count The response data range returns the number of messages addressed to the device and the number of broadcast messages that were processed by the controller. The number of messages since the last restart, "Clear Counters and Diagnostic Register" request, or switching on of the controller are counted. Subfunction Data range Request Response 00h 0Eh 00h - 00h Server Message Count Example Request Response FC 8.15 (08h.0Fh) Return Server No Response Count The response data range returns the number of messages addressed to the controller for which no response was returned (neither normal response nor exception response). The number of messages since the last restart, "Clear Counters and Diagnostic Register" request, or switching on of the controller are counted. Subfunction Data range Request Response 00h 0Fh 00h - 00h No Response Count Example Request Response FC 8.16 (08h.10h) Return Server NAK Count The response data range returns the number of messages for which a "Negative Acknowledge (NAK)" exception response was returned. The number of messages since the last restart, "Clear Counters and Diagnostic Register" request, or switching on of the controller are counted. Subfunction Data range Request Response 00h - 10h 00h - 00h Server NAK Count Example Request Response FC 8.17 (08h.11h) Return Server Busy Count The response data range returns the number of messages for which a "Server Device Busy" exception response was returned. The number of messages since the last restart, "Clear Counters and Diagnostic Register" request, or switching on of the controller are counted. Subfunction Data range Request Response 00h - 11h 00h - 00h Server NAK Count Example Request Response FC 8.18 (08h.12h) Return Bus Character Overrun Count The response data range returns the number of messages addressed to the controller that could not be processed due to a character overrun. The number of messages since the last restart, "Clear Counters and Diagnostic Register" request, or switching on of the controller are counted. A character overrun occurs when characters arrive at the controller faster than they can be stored or by the loss of a character due to a hardware malfunction. Subfunction Data range Request Response 00h - 12h 00h - 00h Server Character Overrun Count Example Request Response FC 43 (2Bh) Encapsulated Interface Transport This function facilitates simple access of the CANopen object dictionary. Further details can be found in the following documentation: MODBUS APPLICATION PROTOCOL SPECIFICATION V1.1b3, Date: 26.04.2014, Version: 1.1b3 CiA 309 Draft Standard Proposal - Access from other networks - Part 2: Modbus/TCP mapping V1.3, Date: 30.07.2015, Version: 1.3 Note: For the messages of the Encapsulated Interface Transport, another byte sequence applies in part, see chapter General. Definition of the request and response: Name Length Example/number range Slave address 1 byte Function code 1 byte 2Bh (43d) MEI type 1 byte 0Dh (13d) Protocol options Range 2 to 5 bytes Address and data range N bytes CRC 2 bytes Protocol options Range Name Length Example/number range Protocol control 1 to 2 bytes See description Reserved 1 byte Always 0 (Optional) Counter byte 1 byte (Optional) Network ID 1 byte (Optional) Encoded data 1 byte Protocol control: The "Protocol control" field contains the flags that are needed for controlling the message protocols. The bytes of the "Protocol control" field are defined as follows if the "extended" flag was set (the second byte is otherwise omitted): The most significant bit (MSB) is bit 0 for "protocol control" byte 1 and bit 8 for "protocol control" byte 2. The least significant bit (LSB) is bit 7 for "protocol control" byte 1 and bit 15 for "protocol control" byte 2. Bit Name Description 0 "Extended" flag This bit is used if the object dictionary data set is larger than would fit in a Modbus command. The data set then spans over multiple Modbus messages; each message contains part of the data set. "0" = No multiple message transaction or the end of the multiple message transaction. "1" = Part of a multiple message transaction. 1 Extended protocol control Length of the protocol control, the value "0" indicates a length of 1 byte, the value "1" indicates a length of 2 bytes. 2 Counter byte option This bit is set to "1" to indicate that the "counter byte" field is used in this message. If this bit is set to "0", the "counter byte" field does not exist in this message. 3 and 4 Reserved 0 5 Network ID option Not supported, must be "0". 6 Encoded data option Not supported, must be "0". 7 Access flag This bit indicates the access method of the requested command. "0" = read, "1" = write. 8 to 15 Reserved 0 Address and data range The address and data range is defined in the following table: Name Byte size and byte order Example / range Node-ID 1 byte 01h to 7Fh Index 1 byte, high 0000h to FFFFh 1 byte, low Subindex 1 byte 00h to FFh Start address 1 byte, high 0000h to FFFFh 1 byte, low Number of data values 1 byte, high 0000h to 00FDh 1 byte, low Write/read data n bytes The data are encoded as described in chapter General. Example: To read object 6042h:00h (16-bit value), the following message must be sent by the master (all values are in hexadecimal notation, the slave ID of the controller is "5"). Request Response Shown as an additional example below, a sequence of Modbus messages is sent from the master to the slave to rotate the motor in "Velocity" mode: Set 6060 = "02h" (Velocity mode) Request Response Set 2031 = 03E8h" (1000 mA) Request Response Set 6040 = "00h" Request Response Set 6040 = "80h" Request Response Set 6040 = "06h" Request Response Set 6040 = "07h" Request Response Set 6040 = "0Fh" Request Response Below are two examples for reading an object: Read 6041h:00h Request Response Read 6061h:00h Request Response Error reaction In the event of an error, the following error message is sent: Name Length Example value Function code 1 byte 2Bh +80h (171d = 43d + 128d) (indicates error) Modbus exception code 1 byte FFh ("extended exception") Extended exception length 2 bytes 6 MEI type 1 byte 0Dh Exception code 1 byte CEh Error code 4 bytes CANopen error code, see following table CANopen error code Description FFFF0000h Abort no error FFFF1003h Service is not supported FFFF1004h Gap in counter byte of the Protocol control field FFFF0003h Unknown or invalid command FFFF0008h Access to the object is not supported FFFF000Eh General error in the parameter FFFF0011h Length of parameter incorrect FFFF0012h Parameter too long FFFF0013h Parameter too short FFFF0015h Parameter data outside of the permissible value range (for write commands) FFFF0016h Parameter data exceed the permissible value range (for write commands) FFFF0017h Parameter data below the permissible value range (for write commands) FFFF0018h Maximum entered values less than minimum values FFFF0019h General error FFFF001Eh Requested object is too large for single message FFFF1004h Invalid sequence of messages (e. g., if the value of the counter byte is not correct according to the previous request or response) In the event that the unsupported control option bit is set, the following error message is sent: Name Length Example value Function code 1 byte 2Bh +80h (171d = 43d + 128d) (indicates error) Modbus exception code 1 byte FFh ("extended exception") Extended exception length 2 bytes 2 + length of "supported protocol control" MEI type 1 byte 0Dh Exception code 1 byte AEh Supported protocol control 1 or 2 bytes See following table Bit Name Description 0 "Extended" flag This bit is used if the object dictionary data set is larger than would fit in a Modbus command. The data set then spans over multiple Modbus messages; each message contains part of the data set. "0" = No multiple message transaction or the end of the multiple message transaction. "1" = Part of a multiple message transaction. 1 Extended protocol control Length of the protocol control, the value "0" indicates a length of 1 byte, the value "1" indicates a length of 2 bytes. 2 Counter byte option This bit is set to "1" to indicate that the "counter byte" field is used in this message. If this bit is set to "0", the "counter byte" field does not exist in this message. 3 and 4 Reserved 0 5 Network ID option Not supported, must be "0". 6 Encoded data option Not supported, must be "0". 7 Access flag This bit indicates the access method of the requested command. "0" = read, "1" = write. 8 to 15 Reserved 0 The following example shows an error in the event of a faulty request. The request reads 6061h:00 with a length of 2 bytes, but the object has a size of just 1 byte: Request Response FC 101 (65h) Read complete object dictionary This function code is used to read out the complete object dictionary. To start or restart the reading out of the object dictionary, subfunction code 55h must be sent. This code resets reading out of the object dictionary on object 0000h. All subsequent object dictionary frames must then contain subfunction code AAh. At the end, once all objects have been read out, an "Error Response" is generated with the abort code "No data available". The format of each "read object" is as follows: Request: Name Length Value / note Slave address 1 byte Function code 1 byte 65h Subfunction code 1 byte 55h or AAh Length of the data 1 byte 00h CRC 2 bytes Response: Name Length Value / note Slave address 1 byte 65h Function code 1 byte Subfunction code 1 byte Length of the data 1 byte n times "object dictionary frame" 1 - 252 bytes CRC 2 bytes An object dictionary frame consists of the following bytes: Name Value / note Index Low Byte 1 byte Index High Byte 1 byte Subindex 1 byte Number of bytes 1 byte Number m of the valid data in the data field Data byte m-1 byte Example All of the following numerical values are in hexadecimal format. The address of the slave is "5". Start reading of the object dictionary with request: The response is: Read out the next part of the object dictionary with the request: The response is: Repeat reading of the object dictionary with the previous request until the response is an error: Error reaction In the event of an error, the following error message is sent: Name Length Example value Function code 1 byte 2Bh +80h (171d = 43d + 128d) (indicates error) Modbus exception code 1 byte FFh ("extended exception") Extended exception length 2 bytes 6 MEI type 1 byte 0Dh Exception code 1 byte CEh Error code 4 bytes CANopen error code, see following table CANopen error code Description FFFF0000h Abort no error FFFF1003h Service is not supported FFFF1004h Gap in counter byte of the Protocol control field FFFF0003h Unknown or invalid command FFFF0008h Access to the object is not supported FFFF000Eh General error in the parameter FFFF0011h Length of parameter incorrect FFFF0012h Parameter too long FFFF0013h Parameter too short FFFF0015h Parameter data outside of the permissible value range (for write commands) FFFF0016h Parameter data exceed the permissible value range (for write commands) FFFF0017h Parameter data below the permissible value range (for write commands) FFFF0018h Maximum entered values less than minimum values FFFF0019h General error FFFF001Eh Requested object is too large for single message FFFF1004h Invalid sequence of messages (e. g., if the value of the counter byte is not correct according to the previous request or response) In the event that the unsupported control option bit is set, the following error message is sent: Name Length Example value Function code 1 byte 2Bh +80h (171d = 43d + 128d) (indicates error) Modbus exception code 1 byte FFh ("extended exception") Extended exception length 2 bytes 2 + length of "supported protocol control" MEI type 1 byte 0Dh Exception code 1 byte AEh Supported protocol control 1 or 2 bytes See following table Bit Name Description 0 "Extended" flag This bit is used if the object dictionary data set is larger than would fit in a Modbus command. The data set then spans over multiple Modbus messages; each message contains part of the data set. "0" = No multiple message transaction or the end of the multiple message transaction. "1" = Part of a multiple message transaction. 1 Extended protocol control Length of the protocol control, the value "0" indicates a length of 1 byte, the value "1" indicates a length of 2 bytes. 2 Counter byte option This bit is set to "1" to indicate that the "counter byte" field is used in this message. If this bit is set to "0", the "counter byte" field does not exist in this message. 3 and 4 Reserved 0 5 Network ID option Not supported, must be "0". 6 Encoded data option Not supported, must be "0". 7 Access flag This bit indicates the access method of the requested command. "0" = read, "1" = write. 8 to 15 Reserved 0 The following example shows an error in the event of a faulty request. The request reads 6061h:00 with a length of 2 bytes, but the object has a size of just 1 byte: Request Response FC 102 (66h) Read complete array or record This function code is used to read out the complete array or record from the object dictionary. To start or restart the reading out of the array, subfunction code 55h must be sent. This code resets reading out on the object with subindex 00h. All subsequent requests must then contain subfunction code AAh. At the end, once all objects have been read out, an "Error Response" is generated. The format of each "read object" is as follows: Request: Name Length Value / note Slave address 1 byte Function code 1 byte 66h Subfunction code 1 byte 55h or AAh Length of the data 1 byte 00h Index of the array to be read 2 bytes CRC 2 bytes Response: Name Length Value / note Slave address 1 byte 65h Function code 1 byte Subfunction code 1 byte Length of the data 1 byte n times object dictionary frame 1 - 252 bytes CRC 2 bytes An object dictionary frame consists of the following bytes: Name Value / note Index Low Byte 1 byte Index High Byte 1 byte Subindex 1 byte Number of bytes 1 byte Number m of the valid data in the data field Data byte m-1 byte Example All of the following numerical values are in hexadecimal format; the index of the object that is to be read is 2400h. The address of the slave is "5"h. Start reading of the array with request: The response is: Error reaction In the event of an error, the following error message is sent: Name Length Example value Function code 1 byte 2Bh +80h (171d = 43d + 128d) (indicates error) Modbus exception code 1 byte FFh ("extended exception") Extended exception length 2 bytes 6 MEI type 1 byte 0Dh Exception code 1 byte CEh Error code 4 bytes CANopen error code, see following table CANopen error code Description FFFF0000h Abort no error FFFF1003h Service is not supported FFFF1004h Gap in counter byte of the Protocol control field FFFF0003h Unknown or invalid command FFFF0008h Access to the object is not supported FFFF000Eh General error in the parameter FFFF0011h Length of parameter incorrect FFFF0012h Parameter too long FFFF0013h Parameter too short FFFF0015h Parameter data outside of the permissible value range (for write commands) FFFF0016h Parameter data exceed the permissible value range (for write commands) FFFF0017h Parameter data below the permissible value range (for write commands) FFFF0018h Maximum entered values less than minimum values FFFF0019h General error FFFF001Eh Requested object is too large for single message FFFF1004h Invalid sequence of messages (e. g., if the value of the counter byte is not correct according to the previous request or response) In the event that the unsupported control option bit is set, the following error message is sent: Name Length Example value Function code 1 byte 2Bh +80h (171d = 43d + 128d) (indicates error) Modbus exception code 1 byte FFh ("extended exception") Extended exception length 2 bytes 2 + length of "supported protocol control" MEI type 1 byte 0Dh Exception code 1 byte AEh Supported protocol control 1 or 2 bytes See following table Bit Name Description 0 "Extended" flag This bit is used if the object dictionary data set is larger than would fit in a Modbus command. The data set then spans over multiple Modbus messages; each message contains part of the data set. "0" = No multiple message transaction or the end of the multiple message transaction. "1" = Part of a multiple message transaction. 1 Extended protocol control Length of the protocol control, the value "0" indicates a length of 1 byte, the value "1" indicates a length of 2 bytes. 2 Counter byte option This bit is set to "1" to indicate that the "counter byte" field is used in this message. If this bit is set to "0", the "counter byte" field does not exist in this message. 3 and 4 Reserved 0 5 Network ID option Not supported, must be "0". 6 Encoded data option Not supported, must be "0". 7 Access flag This bit indicates the access method of the requested command. "0" = read, "1" = write. 8 to 15 Reserved 0 The following example shows an error in the event of a faulty request. The request reads 6061h:00 with a length of 2 bytes, but the object has a size of just 1 byte: Request Response Exception codes In case of an error, the following exception codes may be contained in the response depending on the function code: Code Name Description 01 Illegal Function Function code not recognized/allowed 02 Illegal Data Address Register address not valid or does not exist 03 Illegal Data Value Value not valid 04 Device Failure Unrecoverable error For further details, refer to Modbus specification MODBUS APPLICATION PROTOCOL SPECIFICATION V1.1b3.
Function code descriptions FC 3 (03h) Read Input Registers / FC 4 (04h) Read Holding Registers With this function code, one 16-bit value or multiple 16-bit values can be read. This function can be applied to NanoJ objects (see NanoJ objects) or process data objects (min. 4-byte alignment, see Process data objects (PDO)). Request Name Length Value Slave address 1 byte Function code 1 byte 03h / 04h Start address 2 bytes 0000h to FFFFh Number of registers 2 bytes 1 to (7Dh) CRC 2 bytes Response ("M" corresponds to the number of registers to be read) Name Length Value Slave address 1 byte Function code 1 byte 03h / 04h Number of bytes 1 byte 2 * M Register value 2 bytes CRC 2 bytes Error Name Length Value Slave address 1 byte Error code 1 byte 83h / 84h Exception code (see Exception codes) 1 byte 01, 02, 03 or 04 CRC 2 bytes Example Below is an example of a read request and response of register 5000 (1388h) and of the following register (2 registers): Request Response FC 6 (06h) Write Single Register This function code can be used to write a single 16-bit value. The function can be used on process data objects (see Process data objects (PDO)). Request Name Length Value Slave address 1 byte Function code 1 byte 06h Register address 2 bytes 0000h to FFFFh Register value 2 bytes 0000h to FFFFh CRC 2 bytes Response Name Length Value Slave address 1 byte Function code 1 byte 06h Register address 2 bytes 0000h to FFFFh Register value 2 bytes 0000h to FFFFh CRC 2 bytes Error Name Length Value Slave address 1 byte Error code 1 byte 86h Exception code (see Exception codes) 1 byte 01, 02, 03 or 04 CRC 2 bytes Example Below is an example of a write request and response in register 6000 (1770h) with the value "0001h": Request Response FC 16 (10h) Write Multiple Registers With this function code, one 16-bit value or multiple 16-bit values can be written. The function can be applied to NanoJ objects (see Process data objects (PDO)) or process data objects (see NanoJ objects). Request ("N" is the number of registers to be written) Name Length Value Slave address 1 byte Function code 1 byte 10h Start address 2 bytes 0000h to FFFFh Number of registers 2 bytes 0001h to 007Bh Number of bytes 1 byte 2 * N Register value N * 2 bytes CRC 2 bytes Response Name Length Value Slave address 1 byte Function code 1 byte 10h Start address 2 bytes 0000h to FFFFh Number of registers 2 bytes 0001h to 007Bh CRC 2 bytes Error Name Length Value Slave address 1 byte Error code 1 byte 90h Exception code (see Exception codes) 1 byte 01, 02, 03 or 04 CRC 2 bytes Example Below is an example for writing values "0102h" and "0304h" starting with register address 6000 (1770h), number of registers is 2, length of the data is 4: Request Response FC 17 (11h) Report Server ID This function code can be used to read the description of the type, the current status and other information about the device. Request Name Length Value Slave address 1 byte Function code 1 byte 11h CRC 2 bytes Response Name Length Value Slave address 1 byte Function code 1 byte 03h Number of bytes 1 byte 01h Run Indicator Status 1 byte 00h = OFF, FFh = ON Additional data CRC 2 bytes Error Name Length Value Slave address 1 byte Error code 1 byte 91h Exception code (see Exception codes) 1 byte 01 or 04 CRC 2 bytes Example Below is an example of a request/response for ID and status: Request Response FC 23 (17h) Read/Write Multiple registers With this function code, one 16-bit value or multiple 16-bit values can be simultaneously read and written. The function can be applied to NanoJ objects (see Process data objects (PDO)) or process data objects (see NanoJ objects). Request ("N" is the number of registers to be read): Name Length Value Slave address 1 byte Function code 1 byte 17h Read: Start address 2 bytes 0000h to FFFFh Read: Number of registers 2 bytes 0001h to 0079h Write: Start address 2 bytes 0000h to FFFFh Write: Number of registers 2 bytes 0001h to 0079h Write: Number of bytes 1 byte 2 * N Write: Register value N * 2 bytes CRC 2 bytes Response ("M" corresponds to the number of bytes to be written): Name Length Value Slave address 1 byte Function code 1 byte 17h Number of bytes 1 byte 2 * M Registers read M * 2 bytes CRC 2 bytes Error Name Length Value Slave address 1 byte Error code 1 byte 97h Exception code (see Exception codes) 1 byte 01, 02, 03 or 04 CRC 2 bytes Example Below is an example for reading two registers beginning with register 5000 (1388h) and for writing two registers beginning with register 6000 (1770h) with 4 bytes and data "0102h" and "0304h": Request Response FC 8 (08h) Diagnostics Modbus function code FC08 offers numerous tests for checking the communication system between client and server or for checking various internal error states within the server. This function uses a two-byte subfunction code in the request for defining the type of test. In a normal response, the server repeats both, the function and the subfunction code. Some diagnoses contain data of the device in the data field of the normal response. Request: Name Length Value Function code 1 byte 08h Subfunction code 2 bytes Data N x 2 bytes Response: Name Length Value Function code 1 byte 08h Subfunction code 2 bytes Data N x 2 bytes Error: Name Length Value Function code 1 byte 88h Exception code (see Exception codes) 1 byte 01 or 03 or 04 FC 8.10 (08h.0Ah) Clear Counters and Diagnostic Register The objective of this request is to reset all counters and diagnosis registers. Counters are also reset when the controller is switched on. Subfunction Data range Request Response 00h 0Ah 00h - 00h Echo of the request data Example Request Response FC 8.11 (08h.0Bh) Return Bus Message Count The response data range returns the number of messages detected by the communications system since the last restart, "Clear Counters and Diagnostic Register" request, or switching on of the controller. Subfunction Data range Request Response 00h 0Bh 00h - 00h Total Message Count FC 8.12 (08h.0Ch) Return Bus Communication Error Count The response data range returns the number of CRC errors since the last restart, "Clear Counters and Diagnostic Register" request, or switching on of the controller. Subfunction Data range Request Response 00h 0Ch 00h - 00h CRC Error Count Example Request Response FC 8.13 (08h.0Dh) Return Bus Exception Error Count The response data range returns the number of Modbus exceptions since the last restart, "Clear Counters and Diagnostic Register" request, or switching on of the controller. Subfunction Data range Request Response 00h 0Dh 00h - 00h Exception Error Count Example Request Response FC 8.14 (08h.0Eh) Return Server Message Count The response data range returns the number of messages addressed to the device and the number of broadcast messages that were processed by the controller. The number of messages since the last restart, "Clear Counters and Diagnostic Register" request, or switching on of the controller are counted. Subfunction Data range Request Response 00h 0Eh 00h - 00h Server Message Count Example Request Response FC 8.15 (08h.0Fh) Return Server No Response Count The response data range returns the number of messages addressed to the controller for which no response was returned (neither normal response nor exception response). The number of messages since the last restart, "Clear Counters and Diagnostic Register" request, or switching on of the controller are counted. Subfunction Data range Request Response 00h 0Fh 00h - 00h No Response Count Example Request Response FC 8.16 (08h.10h) Return Server NAK Count The response data range returns the number of messages for which a "Negative Acknowledge (NAK)" exception response was returned. The number of messages since the last restart, "Clear Counters and Diagnostic Register" request, or switching on of the controller are counted. Subfunction Data range Request Response 00h - 10h 00h - 00h Server NAK Count Example Request Response FC 8.17 (08h.11h) Return Server Busy Count The response data range returns the number of messages for which a "Server Device Busy" exception response was returned. The number of messages since the last restart, "Clear Counters and Diagnostic Register" request, or switching on of the controller are counted. Subfunction Data range Request Response 00h - 11h 00h - 00h Server NAK Count Example Request Response FC 8.18 (08h.12h) Return Bus Character Overrun Count The response data range returns the number of messages addressed to the controller that could not be processed due to a character overrun. The number of messages since the last restart, "Clear Counters and Diagnostic Register" request, or switching on of the controller are counted. A character overrun occurs when characters arrive at the controller faster than they can be stored or by the loss of a character due to a hardware malfunction. Subfunction Data range Request Response 00h - 12h 00h - 00h Server Character Overrun Count Example Request Response FC 43 (2Bh) Encapsulated Interface Transport This function facilitates simple access of the CANopen object dictionary. Further details can be found in the following documentation: MODBUS APPLICATION PROTOCOL SPECIFICATION V1.1b3, Date: 26.04.2014, Version: 1.1b3 CiA 309 Draft Standard Proposal - Access from other networks - Part 2: Modbus/TCP mapping V1.3, Date: 30.07.2015, Version: 1.3 Note: For the messages of the Encapsulated Interface Transport, another byte sequence applies in part, see chapter General. Definition of the request and response: Name Length Example/number range Slave address 1 byte Function code 1 byte 2Bh (43d) MEI type 1 byte 0Dh (13d) Protocol options Range 2 to 5 bytes Address and data range N bytes CRC 2 bytes Protocol options Range Name Length Example/number range Protocol control 1 to 2 bytes See description Reserved 1 byte Always 0 (Optional) Counter byte 1 byte (Optional) Network ID 1 byte (Optional) Encoded data 1 byte Protocol control: The "Protocol control" field contains the flags that are needed for controlling the message protocols. The bytes of the "Protocol control" field are defined as follows if the "extended" flag was set (the second byte is otherwise omitted): The most significant bit (MSB) is bit 0 for "protocol control" byte 1 and bit 8 for "protocol control" byte 2. The least significant bit (LSB) is bit 7 for "protocol control" byte 1 and bit 15 for "protocol control" byte 2. Bit Name Description 0 "Extended" flag This bit is used if the object dictionary data set is larger than would fit in a Modbus command. The data set then spans over multiple Modbus messages; each message contains part of the data set. "0" = No multiple message transaction or the end of the multiple message transaction. "1" = Part of a multiple message transaction. 1 Extended protocol control Length of the protocol control, the value "0" indicates a length of 1 byte, the value "1" indicates a length of 2 bytes. 2 Counter byte option This bit is set to "1" to indicate that the "counter byte" field is used in this message. If this bit is set to "0", the "counter byte" field does not exist in this message. 3 and 4 Reserved 0 5 Network ID option Not supported, must be "0". 6 Encoded data option Not supported, must be "0". 7 Access flag This bit indicates the access method of the requested command. "0" = read, "1" = write. 8 to 15 Reserved 0 Address and data range The address and data range is defined in the following table: Name Byte size and byte order Example / range Node-ID 1 byte 01h to 7Fh Index 1 byte, high 0000h to FFFFh 1 byte, low Subindex 1 byte 00h to FFh Start address 1 byte, high 0000h to FFFFh 1 byte, low Number of data values 1 byte, high 0000h to 00FDh 1 byte, low Write/read data n bytes The data are encoded as described in chapter General. Example: To read object 6042h:00h (16-bit value), the following message must be sent by the master (all values are in hexadecimal notation, the slave ID of the controller is "5"). Request Response Shown as an additional example below, a sequence of Modbus messages is sent from the master to the slave to rotate the motor in "Velocity" mode: Set 6060 = "02h" (Velocity mode) Request Response Set 2031 = 03E8h" (1000 mA) Request Response Set 6040 = "00h" Request Response Set 6040 = "80h" Request Response Set 6040 = "06h" Request Response Set 6040 = "07h" Request Response Set 6040 = "0Fh" Request Response Below are two examples for reading an object: Read 6041h:00h Request Response Read 6061h:00h Request Response Error reaction In the event of an error, the following error message is sent: Name Length Example value Function code 1 byte 2Bh +80h (171d = 43d + 128d) (indicates error) Modbus exception code 1 byte FFh ("extended exception") Extended exception length 2 bytes 6 MEI type 1 byte 0Dh Exception code 1 byte CEh Error code 4 bytes CANopen error code, see following table CANopen error code Description FFFF0000h Abort no error FFFF1003h Service is not supported FFFF1004h Gap in counter byte of the Protocol control field FFFF0003h Unknown or invalid command FFFF0008h Access to the object is not supported FFFF000Eh General error in the parameter FFFF0011h Length of parameter incorrect FFFF0012h Parameter too long FFFF0013h Parameter too short FFFF0015h Parameter data outside of the permissible value range (for write commands) FFFF0016h Parameter data exceed the permissible value range (for write commands) FFFF0017h Parameter data below the permissible value range (for write commands) FFFF0018h Maximum entered values less than minimum values FFFF0019h General error FFFF001Eh Requested object is too large for single message FFFF1004h Invalid sequence of messages (e. g., if the value of the counter byte is not correct according to the previous request or response) In the event that the unsupported control option bit is set, the following error message is sent: Name Length Example value Function code 1 byte 2Bh +80h (171d = 43d + 128d) (indicates error) Modbus exception code 1 byte FFh ("extended exception") Extended exception length 2 bytes 2 + length of "supported protocol control" MEI type 1 byte 0Dh Exception code 1 byte AEh Supported protocol control 1 or 2 bytes See following table Bit Name Description 0 "Extended" flag This bit is used if the object dictionary data set is larger than would fit in a Modbus command. The data set then spans over multiple Modbus messages; each message contains part of the data set. "0" = No multiple message transaction or the end of the multiple message transaction. "1" = Part of a multiple message transaction. 1 Extended protocol control Length of the protocol control, the value "0" indicates a length of 1 byte, the value "1" indicates a length of 2 bytes. 2 Counter byte option This bit is set to "1" to indicate that the "counter byte" field is used in this message. If this bit is set to "0", the "counter byte" field does not exist in this message. 3 and 4 Reserved 0 5 Network ID option Not supported, must be "0". 6 Encoded data option Not supported, must be "0". 7 Access flag This bit indicates the access method of the requested command. "0" = read, "1" = write. 8 to 15 Reserved 0 The following example shows an error in the event of a faulty request. The request reads 6061h:00 with a length of 2 bytes, but the object has a size of just 1 byte: Request Response FC 101 (65h) Read complete object dictionary This function code is used to read out the complete object dictionary. To start or restart the reading out of the object dictionary, subfunction code 55h must be sent. This code resets reading out of the object dictionary on object 0000h. All subsequent object dictionary frames must then contain subfunction code AAh. At the end, once all objects have been read out, an "Error Response" is generated with the abort code "No data available". The format of each "read object" is as follows: Request: Name Length Value / note Slave address 1 byte Function code 1 byte 65h Subfunction code 1 byte 55h or AAh Length of the data 1 byte 00h CRC 2 bytes Response: Name Length Value / note Slave address 1 byte 65h Function code 1 byte Subfunction code 1 byte Length of the data 1 byte n times "object dictionary frame" 1 - 252 bytes CRC 2 bytes An object dictionary frame consists of the following bytes: Name Value / note Index Low Byte 1 byte Index High Byte 1 byte Subindex 1 byte Number of bytes 1 byte Number m of the valid data in the data field Data byte m-1 byte Example All of the following numerical values are in hexadecimal format. The address of the slave is "5". Start reading of the object dictionary with request: The response is: Read out the next part of the object dictionary with the request: The response is: Repeat reading of the object dictionary with the previous request until the response is an error: Error reaction In the event of an error, the following error message is sent: Name Length Example value Function code 1 byte 2Bh +80h (171d = 43d + 128d) (indicates error) Modbus exception code 1 byte FFh ("extended exception") Extended exception length 2 bytes 6 MEI type 1 byte 0Dh Exception code 1 byte CEh Error code 4 bytes CANopen error code, see following table CANopen error code Description FFFF0000h Abort no error FFFF1003h Service is not supported FFFF1004h Gap in counter byte of the Protocol control field FFFF0003h Unknown or invalid command FFFF0008h Access to the object is not supported FFFF000Eh General error in the parameter FFFF0011h Length of parameter incorrect FFFF0012h Parameter too long FFFF0013h Parameter too short FFFF0015h Parameter data outside of the permissible value range (for write commands) FFFF0016h Parameter data exceed the permissible value range (for write commands) FFFF0017h Parameter data below the permissible value range (for write commands) FFFF0018h Maximum entered values less than minimum values FFFF0019h General error FFFF001Eh Requested object is too large for single message FFFF1004h Invalid sequence of messages (e. g., if the value of the counter byte is not correct according to the previous request or response) In the event that the unsupported control option bit is set, the following error message is sent: Name Length Example value Function code 1 byte 2Bh +80h (171d = 43d + 128d) (indicates error) Modbus exception code 1 byte FFh ("extended exception") Extended exception length 2 bytes 2 + length of "supported protocol control" MEI type 1 byte 0Dh Exception code 1 byte AEh Supported protocol control 1 or 2 bytes See following table Bit Name Description 0 "Extended" flag This bit is used if the object dictionary data set is larger than would fit in a Modbus command. The data set then spans over multiple Modbus messages; each message contains part of the data set. "0" = No multiple message transaction or the end of the multiple message transaction. "1" = Part of a multiple message transaction. 1 Extended protocol control Length of the protocol control, the value "0" indicates a length of 1 byte, the value "1" indicates a length of 2 bytes. 2 Counter byte option This bit is set to "1" to indicate that the "counter byte" field is used in this message. If this bit is set to "0", the "counter byte" field does not exist in this message. 3 and 4 Reserved 0 5 Network ID option Not supported, must be "0". 6 Encoded data option Not supported, must be "0". 7 Access flag This bit indicates the access method of the requested command. "0" = read, "1" = write. 8 to 15 Reserved 0 The following example shows an error in the event of a faulty request. The request reads 6061h:00 with a length of 2 bytes, but the object has a size of just 1 byte: Request Response FC 102 (66h) Read complete array or record This function code is used to read out the complete array or record from the object dictionary. To start or restart the reading out of the array, subfunction code 55h must be sent. This code resets reading out on the object with subindex 00h. All subsequent requests must then contain subfunction code AAh. At the end, once all objects have been read out, an "Error Response" is generated. The format of each "read object" is as follows: Request: Name Length Value / note Slave address 1 byte Function code 1 byte 66h Subfunction code 1 byte 55h or AAh Length of the data 1 byte 00h Index of the array to be read 2 bytes CRC 2 bytes Response: Name Length Value / note Slave address 1 byte 65h Function code 1 byte Subfunction code 1 byte Length of the data 1 byte n times object dictionary frame 1 - 252 bytes CRC 2 bytes An object dictionary frame consists of the following bytes: Name Value / note Index Low Byte 1 byte Index High Byte 1 byte Subindex 1 byte Number of bytes 1 byte Number m of the valid data in the data field Data byte m-1 byte Example All of the following numerical values are in hexadecimal format; the index of the object that is to be read is 2400h. The address of the slave is "5"h. Start reading of the array with request: The response is: Error reaction In the event of an error, the following error message is sent: Name Length Example value Function code 1 byte 2Bh +80h (171d = 43d + 128d) (indicates error) Modbus exception code 1 byte FFh ("extended exception") Extended exception length 2 bytes 6 MEI type 1 byte 0Dh Exception code 1 byte CEh Error code 4 bytes CANopen error code, see following table CANopen error code Description FFFF0000h Abort no error FFFF1003h Service is not supported FFFF1004h Gap in counter byte of the Protocol control field FFFF0003h Unknown or invalid command FFFF0008h Access to the object is not supported FFFF000Eh General error in the parameter FFFF0011h Length of parameter incorrect FFFF0012h Parameter too long FFFF0013h Parameter too short FFFF0015h Parameter data outside of the permissible value range (for write commands) FFFF0016h Parameter data exceed the permissible value range (for write commands) FFFF0017h Parameter data below the permissible value range (for write commands) FFFF0018h Maximum entered values less than minimum values FFFF0019h General error FFFF001Eh Requested object is too large for single message FFFF1004h Invalid sequence of messages (e. g., if the value of the counter byte is not correct according to the previous request or response) In the event that the unsupported control option bit is set, the following error message is sent: Name Length Example value Function code 1 byte 2Bh +80h (171d = 43d + 128d) (indicates error) Modbus exception code 1 byte FFh ("extended exception") Extended exception length 2 bytes 2 + length of "supported protocol control" MEI type 1 byte 0Dh Exception code 1 byte AEh Supported protocol control 1 or 2 bytes See following table Bit Name Description 0 "Extended" flag This bit is used if the object dictionary data set is larger than would fit in a Modbus command. The data set then spans over multiple Modbus messages; each message contains part of the data set. "0" = No multiple message transaction or the end of the multiple message transaction. "1" = Part of a multiple message transaction. 1 Extended protocol control Length of the protocol control, the value "0" indicates a length of 1 byte, the value "1" indicates a length of 2 bytes. 2 Counter byte option This bit is set to "1" to indicate that the "counter byte" field is used in this message. If this bit is set to "0", the "counter byte" field does not exist in this message. 3 and 4 Reserved 0 5 Network ID option Not supported, must be "0". 6 Encoded data option Not supported, must be "0". 7 Access flag This bit indicates the access method of the requested command. "0" = read, "1" = write. 8 to 15 Reserved 0 The following example shows an error in the event of a faulty request. The request reads 6061h:00 with a length of 2 bytes, but the object has a size of just 1 byte: Request Response Exception codes In case of an error, the following exception codes may be contained in the response depending on the function code: Code Name Description 01 Illegal Function Function code not recognized/allowed 02 Illegal Data Address Register address not valid or does not exist 03 Illegal Data Value Value not valid 04 Device Failure Unrecoverable error For further details, refer to Modbus specification MODBUS APPLICATION PROTOCOL SPECIFICATION V1.1b3.
FC 3 (03h) Read Input Registers / FC 4 (04h) Read Holding Registers With this function code, one 16-bit value or multiple 16-bit values can be read. This function can be applied to NanoJ objects (see NanoJ objects) or process data objects (min. 4-byte alignment, see Process data objects (PDO)). Request Name Length Value Slave address 1 byte Function code 1 byte 03h / 04h Start address 2 bytes 0000h to FFFFh Number of registers 2 bytes 1 to (7Dh) CRC 2 bytes Response ("M" corresponds to the number of registers to be read) Name Length Value Slave address 1 byte Function code 1 byte 03h / 04h Number of bytes 1 byte 2 * M Register value 2 bytes CRC 2 bytes Error Name Length Value Slave address 1 byte Error code 1 byte 83h / 84h Exception code (see Exception codes) 1 byte 01, 02, 03 or 04 CRC 2 bytes Example Below is an example of a read request and response of register 5000 (1388h) and of the following register (2 registers): Request Response
FC 6 (06h) Write Single Register This function code can be used to write a single 16-bit value. The function can be used on process data objects (see Process data objects (PDO)). Request Name Length Value Slave address 1 byte Function code 1 byte 06h Register address 2 bytes 0000h to FFFFh Register value 2 bytes 0000h to FFFFh CRC 2 bytes Response Name Length Value Slave address 1 byte Function code 1 byte 06h Register address 2 bytes 0000h to FFFFh Register value 2 bytes 0000h to FFFFh CRC 2 bytes Error Name Length Value Slave address 1 byte Error code 1 byte 86h Exception code (see Exception codes) 1 byte 01, 02, 03 or 04 CRC 2 bytes Example Below is an example of a write request and response in register 6000 (1770h) with the value "0001h": Request Response
FC 16 (10h) Write Multiple Registers With this function code, one 16-bit value or multiple 16-bit values can be written. The function can be applied to NanoJ objects (see Process data objects (PDO)) or process data objects (see NanoJ objects). Request ("N" is the number of registers to be written) Name Length Value Slave address 1 byte Function code 1 byte 10h Start address 2 bytes 0000h to FFFFh Number of registers 2 bytes 0001h to 007Bh Number of bytes 1 byte 2 * N Register value N * 2 bytes CRC 2 bytes Response Name Length Value Slave address 1 byte Function code 1 byte 10h Start address 2 bytes 0000h to FFFFh Number of registers 2 bytes 0001h to 007Bh CRC 2 bytes Error Name Length Value Slave address 1 byte Error code 1 byte 90h Exception code (see Exception codes) 1 byte 01, 02, 03 or 04 CRC 2 bytes Example Below is an example for writing values "0102h" and "0304h" starting with register address 6000 (1770h), number of registers is 2, length of the data is 4: Request Response
FC 17 (11h) Report Server ID This function code can be used to read the description of the type, the current status and other information about the device. Request Name Length Value Slave address 1 byte Function code 1 byte 11h CRC 2 bytes Response Name Length Value Slave address 1 byte Function code 1 byte 03h Number of bytes 1 byte 01h Run Indicator Status 1 byte 00h = OFF, FFh = ON Additional data CRC 2 bytes Error Name Length Value Slave address 1 byte Error code 1 byte 91h Exception code (see Exception codes) 1 byte 01 or 04 CRC 2 bytes Example Below is an example of a request/response for ID and status: Request Response
FC 23 (17h) Read/Write Multiple registers With this function code, one 16-bit value or multiple 16-bit values can be simultaneously read and written. The function can be applied to NanoJ objects (see Process data objects (PDO)) or process data objects (see NanoJ objects). Request ("N" is the number of registers to be read): Name Length Value Slave address 1 byte Function code 1 byte 17h Read: Start address 2 bytes 0000h to FFFFh Read: Number of registers 2 bytes 0001h to 0079h Write: Start address 2 bytes 0000h to FFFFh Write: Number of registers 2 bytes 0001h to 0079h Write: Number of bytes 1 byte 2 * N Write: Register value N * 2 bytes CRC 2 bytes Response ("M" corresponds to the number of bytes to be written): Name Length Value Slave address 1 byte Function code 1 byte 17h Number of bytes 1 byte 2 * M Registers read M * 2 bytes CRC 2 bytes Error Name Length Value Slave address 1 byte Error code 1 byte 97h Exception code (see Exception codes) 1 byte 01, 02, 03 or 04 CRC 2 bytes Example Below is an example for reading two registers beginning with register 5000 (1388h) and for writing two registers beginning with register 6000 (1770h) with 4 bytes and data "0102h" and "0304h": Request Response
FC 8 (08h) Diagnostics Modbus function code FC08 offers numerous tests for checking the communication system between client and server or for checking various internal error states within the server. This function uses a two-byte subfunction code in the request for defining the type of test. In a normal response, the server repeats both, the function and the subfunction code. Some diagnoses contain data of the device in the data field of the normal response. Request: Name Length Value Function code 1 byte 08h Subfunction code 2 bytes Data N x 2 bytes Response: Name Length Value Function code 1 byte 08h Subfunction code 2 bytes Data N x 2 bytes Error: Name Length Value Function code 1 byte 88h Exception code (see Exception codes) 1 byte 01 or 03 or 04 FC 8.10 (08h.0Ah) Clear Counters and Diagnostic Register The objective of this request is to reset all counters and diagnosis registers. Counters are also reset when the controller is switched on. Subfunction Data range Request Response 00h 0Ah 00h - 00h Echo of the request data Example Request Response FC 8.11 (08h.0Bh) Return Bus Message Count The response data range returns the number of messages detected by the communications system since the last restart, "Clear Counters and Diagnostic Register" request, or switching on of the controller. Subfunction Data range Request Response 00h 0Bh 00h - 00h Total Message Count FC 8.12 (08h.0Ch) Return Bus Communication Error Count The response data range returns the number of CRC errors since the last restart, "Clear Counters and Diagnostic Register" request, or switching on of the controller. Subfunction Data range Request Response 00h 0Ch 00h - 00h CRC Error Count Example Request Response FC 8.13 (08h.0Dh) Return Bus Exception Error Count The response data range returns the number of Modbus exceptions since the last restart, "Clear Counters and Diagnostic Register" request, or switching on of the controller. Subfunction Data range Request Response 00h 0Dh 00h - 00h Exception Error Count Example Request Response FC 8.14 (08h.0Eh) Return Server Message Count The response data range returns the number of messages addressed to the device and the number of broadcast messages that were processed by the controller. The number of messages since the last restart, "Clear Counters and Diagnostic Register" request, or switching on of the controller are counted. Subfunction Data range Request Response 00h 0Eh 00h - 00h Server Message Count Example Request Response FC 8.15 (08h.0Fh) Return Server No Response Count The response data range returns the number of messages addressed to the controller for which no response was returned (neither normal response nor exception response). The number of messages since the last restart, "Clear Counters and Diagnostic Register" request, or switching on of the controller are counted. Subfunction Data range Request Response 00h 0Fh 00h - 00h No Response Count Example Request Response FC 8.16 (08h.10h) Return Server NAK Count The response data range returns the number of messages for which a "Negative Acknowledge (NAK)" exception response was returned. The number of messages since the last restart, "Clear Counters and Diagnostic Register" request, or switching on of the controller are counted. Subfunction Data range Request Response 00h - 10h 00h - 00h Server NAK Count Example Request Response FC 8.17 (08h.11h) Return Server Busy Count The response data range returns the number of messages for which a "Server Device Busy" exception response was returned. The number of messages since the last restart, "Clear Counters and Diagnostic Register" request, or switching on of the controller are counted. Subfunction Data range Request Response 00h - 11h 00h - 00h Server NAK Count Example Request Response FC 8.18 (08h.12h) Return Bus Character Overrun Count The response data range returns the number of messages addressed to the controller that could not be processed due to a character overrun. The number of messages since the last restart, "Clear Counters and Diagnostic Register" request, or switching on of the controller are counted. A character overrun occurs when characters arrive at the controller faster than they can be stored or by the loss of a character due to a hardware malfunction. Subfunction Data range Request Response 00h - 12h 00h - 00h Server Character Overrun Count Example Request Response
FC 8.10 (08h.0Ah) Clear Counters and Diagnostic Register The objective of this request is to reset all counters and diagnosis registers. Counters are also reset when the controller is switched on. Subfunction Data range Request Response 00h 0Ah 00h - 00h Echo of the request data Example Request Response
FC 8.11 (08h.0Bh) Return Bus Message Count The response data range returns the number of messages detected by the communications system since the last restart, "Clear Counters and Diagnostic Register" request, or switching on of the controller. Subfunction Data range Request Response 00h 0Bh 00h - 00h Total Message Count
FC 8.12 (08h.0Ch) Return Bus Communication Error Count The response data range returns the number of CRC errors since the last restart, "Clear Counters and Diagnostic Register" request, or switching on of the controller. Subfunction Data range Request Response 00h 0Ch 00h - 00h CRC Error Count Example Request Response
FC 8.13 (08h.0Dh) Return Bus Exception Error Count The response data range returns the number of Modbus exceptions since the last restart, "Clear Counters and Diagnostic Register" request, or switching on of the controller. Subfunction Data range Request Response 00h 0Dh 00h - 00h Exception Error Count Example Request Response
FC 8.14 (08h.0Eh) Return Server Message Count The response data range returns the number of messages addressed to the device and the number of broadcast messages that were processed by the controller. The number of messages since the last restart, "Clear Counters and Diagnostic Register" request, or switching on of the controller are counted. Subfunction Data range Request Response 00h 0Eh 00h - 00h Server Message Count Example Request Response
FC 8.15 (08h.0Fh) Return Server No Response Count The response data range returns the number of messages addressed to the controller for which no response was returned (neither normal response nor exception response). The number of messages since the last restart, "Clear Counters and Diagnostic Register" request, or switching on of the controller are counted. Subfunction Data range Request Response 00h 0Fh 00h - 00h No Response Count Example Request Response
FC 8.16 (08h.10h) Return Server NAK Count The response data range returns the number of messages for which a "Negative Acknowledge (NAK)" exception response was returned. The number of messages since the last restart, "Clear Counters and Diagnostic Register" request, or switching on of the controller are counted. Subfunction Data range Request Response 00h - 10h 00h - 00h Server NAK Count Example Request Response
FC 8.17 (08h.11h) Return Server Busy Count The response data range returns the number of messages for which a "Server Device Busy" exception response was returned. The number of messages since the last restart, "Clear Counters and Diagnostic Register" request, or switching on of the controller are counted. Subfunction Data range Request Response 00h - 11h 00h - 00h Server NAK Count Example Request Response
FC 8.18 (08h.12h) Return Bus Character Overrun Count The response data range returns the number of messages addressed to the controller that could not be processed due to a character overrun. The number of messages since the last restart, "Clear Counters and Diagnostic Register" request, or switching on of the controller are counted. A character overrun occurs when characters arrive at the controller faster than they can be stored or by the loss of a character due to a hardware malfunction. Subfunction Data range Request Response 00h - 12h 00h - 00h Server Character Overrun Count Example Request Response
FC 43 (2Bh) Encapsulated Interface Transport This function facilitates simple access of the CANopen object dictionary. Further details can be found in the following documentation: MODBUS APPLICATION PROTOCOL SPECIFICATION V1.1b3, Date: 26.04.2014, Version: 1.1b3 CiA 309 Draft Standard Proposal - Access from other networks - Part 2: Modbus/TCP mapping V1.3, Date: 30.07.2015, Version: 1.3 Note: For the messages of the Encapsulated Interface Transport, another byte sequence applies in part, see chapter General. Definition of the request and response: Name Length Example/number range Slave address 1 byte Function code 1 byte 2Bh (43d) MEI type 1 byte 0Dh (13d) Protocol options Range 2 to 5 bytes Address and data range N bytes CRC 2 bytes Protocol options Range Name Length Example/number range Protocol control 1 to 2 bytes See description Reserved 1 byte Always 0 (Optional) Counter byte 1 byte (Optional) Network ID 1 byte (Optional) Encoded data 1 byte Protocol control: The "Protocol control" field contains the flags that are needed for controlling the message protocols. The bytes of the "Protocol control" field are defined as follows if the "extended" flag was set (the second byte is otherwise omitted): The most significant bit (MSB) is bit 0 for "protocol control" byte 1 and bit 8 for "protocol control" byte 2. The least significant bit (LSB) is bit 7 for "protocol control" byte 1 and bit 15 for "protocol control" byte 2. Bit Name Description 0 "Extended" flag This bit is used if the object dictionary data set is larger than would fit in a Modbus command. The data set then spans over multiple Modbus messages; each message contains part of the data set. "0" = No multiple message transaction or the end of the multiple message transaction. "1" = Part of a multiple message transaction. 1 Extended protocol control Length of the protocol control, the value "0" indicates a length of 1 byte, the value "1" indicates a length of 2 bytes. 2 Counter byte option This bit is set to "1" to indicate that the "counter byte" field is used in this message. If this bit is set to "0", the "counter byte" field does not exist in this message. 3 and 4 Reserved 0 5 Network ID option Not supported, must be "0". 6 Encoded data option Not supported, must be "0". 7 Access flag This bit indicates the access method of the requested command. "0" = read, "1" = write. 8 to 15 Reserved 0 Address and data range The address and data range is defined in the following table: Name Byte size and byte order Example / range Node-ID 1 byte 01h to 7Fh Index 1 byte, high 0000h to FFFFh 1 byte, low Subindex 1 byte 00h to FFh Start address 1 byte, high 0000h to FFFFh 1 byte, low Number of data values 1 byte, high 0000h to 00FDh 1 byte, low Write/read data n bytes The data are encoded as described in chapter General. Example: To read object 6042h:00h (16-bit value), the following message must be sent by the master (all values are in hexadecimal notation, the slave ID of the controller is "5"). Request Response Shown as an additional example below, a sequence of Modbus messages is sent from the master to the slave to rotate the motor in "Velocity" mode: Set 6060 = "02h" (Velocity mode) Request Response Set 2031 = 03E8h" (1000 mA) Request Response Set 6040 = "00h" Request Response Set 6040 = "80h" Request Response Set 6040 = "06h" Request Response Set 6040 = "07h" Request Response Set 6040 = "0Fh" Request Response Below are two examples for reading an object: Read 6041h:00h Request Response Read 6061h:00h Request Response Error reaction In the event of an error, the following error message is sent: Name Length Example value Function code 1 byte 2Bh +80h (171d = 43d + 128d) (indicates error) Modbus exception code 1 byte FFh ("extended exception") Extended exception length 2 bytes 6 MEI type 1 byte 0Dh Exception code 1 byte CEh Error code 4 bytes CANopen error code, see following table CANopen error code Description FFFF0000h Abort no error FFFF1003h Service is not supported FFFF1004h Gap in counter byte of the Protocol control field FFFF0003h Unknown or invalid command FFFF0008h Access to the object is not supported FFFF000Eh General error in the parameter FFFF0011h Length of parameter incorrect FFFF0012h Parameter too long FFFF0013h Parameter too short FFFF0015h Parameter data outside of the permissible value range (for write commands) FFFF0016h Parameter data exceed the permissible value range (for write commands) FFFF0017h Parameter data below the permissible value range (for write commands) FFFF0018h Maximum entered values less than minimum values FFFF0019h General error FFFF001Eh Requested object is too large for single message FFFF1004h Invalid sequence of messages (e. g., if the value of the counter byte is not correct according to the previous request or response) In the event that the unsupported control option bit is set, the following error message is sent: Name Length Example value Function code 1 byte 2Bh +80h (171d = 43d + 128d) (indicates error) Modbus exception code 1 byte FFh ("extended exception") Extended exception length 2 bytes 2 + length of "supported protocol control" MEI type 1 byte 0Dh Exception code 1 byte AEh Supported protocol control 1 or 2 bytes See following table Bit Name Description 0 "Extended" flag This bit is used if the object dictionary data set is larger than would fit in a Modbus command. The data set then spans over multiple Modbus messages; each message contains part of the data set. "0" = No multiple message transaction or the end of the multiple message transaction. "1" = Part of a multiple message transaction. 1 Extended protocol control Length of the protocol control, the value "0" indicates a length of 1 byte, the value "1" indicates a length of 2 bytes. 2 Counter byte option This bit is set to "1" to indicate that the "counter byte" field is used in this message. If this bit is set to "0", the "counter byte" field does not exist in this message. 3 and 4 Reserved 0 5 Network ID option Not supported, must be "0". 6 Encoded data option Not supported, must be "0". 7 Access flag This bit indicates the access method of the requested command. "0" = read, "1" = write. 8 to 15 Reserved 0 The following example shows an error in the event of a faulty request. The request reads 6061h:00 with a length of 2 bytes, but the object has a size of just 1 byte: Request Response
Error reaction In the event of an error, the following error message is sent: Name Length Example value Function code 1 byte 2Bh +80h (171d = 43d + 128d) (indicates error) Modbus exception code 1 byte FFh ("extended exception") Extended exception length 2 bytes 6 MEI type 1 byte 0Dh Exception code 1 byte CEh Error code 4 bytes CANopen error code, see following table CANopen error code Description FFFF0000h Abort no error FFFF1003h Service is not supported FFFF1004h Gap in counter byte of the Protocol control field FFFF0003h Unknown or invalid command FFFF0008h Access to the object is not supported FFFF000Eh General error in the parameter FFFF0011h Length of parameter incorrect FFFF0012h Parameter too long FFFF0013h Parameter too short FFFF0015h Parameter data outside of the permissible value range (for write commands) FFFF0016h Parameter data exceed the permissible value range (for write commands) FFFF0017h Parameter data below the permissible value range (for write commands) FFFF0018h Maximum entered values less than minimum values FFFF0019h General error FFFF001Eh Requested object is too large for single message FFFF1004h Invalid sequence of messages (e. g., if the value of the counter byte is not correct according to the previous request or response) In the event that the unsupported control option bit is set, the following error message is sent: Name Length Example value Function code 1 byte 2Bh +80h (171d = 43d + 128d) (indicates error) Modbus exception code 1 byte FFh ("extended exception") Extended exception length 2 bytes 2 + length of "supported protocol control" MEI type 1 byte 0Dh Exception code 1 byte AEh Supported protocol control 1 or 2 bytes See following table Bit Name Description 0 "Extended" flag This bit is used if the object dictionary data set is larger than would fit in a Modbus command. The data set then spans over multiple Modbus messages; each message contains part of the data set. "0" = No multiple message transaction or the end of the multiple message transaction. "1" = Part of a multiple message transaction. 1 Extended protocol control Length of the protocol control, the value "0" indicates a length of 1 byte, the value "1" indicates a length of 2 bytes. 2 Counter byte option This bit is set to "1" to indicate that the "counter byte" field is used in this message. If this bit is set to "0", the "counter byte" field does not exist in this message. 3 and 4 Reserved 0 5 Network ID option Not supported, must be "0". 6 Encoded data option Not supported, must be "0". 7 Access flag This bit indicates the access method of the requested command. "0" = read, "1" = write. 8 to 15 Reserved 0 The following example shows an error in the event of a faulty request. The request reads 6061h:00 with a length of 2 bytes, but the object has a size of just 1 byte: Request Response
FC 101 (65h) Read complete object dictionary This function code is used to read out the complete object dictionary. To start or restart the reading out of the object dictionary, subfunction code 55h must be sent. This code resets reading out of the object dictionary on object 0000h. All subsequent object dictionary frames must then contain subfunction code AAh. At the end, once all objects have been read out, an "Error Response" is generated with the abort code "No data available". The format of each "read object" is as follows: Request: Name Length Value / note Slave address 1 byte Function code 1 byte 65h Subfunction code 1 byte 55h or AAh Length of the data 1 byte 00h CRC 2 bytes Response: Name Length Value / note Slave address 1 byte 65h Function code 1 byte Subfunction code 1 byte Length of the data 1 byte n times "object dictionary frame" 1 - 252 bytes CRC 2 bytes An object dictionary frame consists of the following bytes: Name Value / note Index Low Byte 1 byte Index High Byte 1 byte Subindex 1 byte Number of bytes 1 byte Number m of the valid data in the data field Data byte m-1 byte Example All of the following numerical values are in hexadecimal format. The address of the slave is "5". Start reading of the object dictionary with request: The response is: Read out the next part of the object dictionary with the request: The response is: Repeat reading of the object dictionary with the previous request until the response is an error: Error reaction In the event of an error, the following error message is sent: Name Length Example value Function code 1 byte 2Bh +80h (171d = 43d + 128d) (indicates error) Modbus exception code 1 byte FFh ("extended exception") Extended exception length 2 bytes 6 MEI type 1 byte 0Dh Exception code 1 byte CEh Error code 4 bytes CANopen error code, see following table CANopen error code Description FFFF0000h Abort no error FFFF1003h Service is not supported FFFF1004h Gap in counter byte of the Protocol control field FFFF0003h Unknown or invalid command FFFF0008h Access to the object is not supported FFFF000Eh General error in the parameter FFFF0011h Length of parameter incorrect FFFF0012h Parameter too long FFFF0013h Parameter too short FFFF0015h Parameter data outside of the permissible value range (for write commands) FFFF0016h Parameter data exceed the permissible value range (for write commands) FFFF0017h Parameter data below the permissible value range (for write commands) FFFF0018h Maximum entered values less than minimum values FFFF0019h General error FFFF001Eh Requested object is too large for single message FFFF1004h Invalid sequence of messages (e. g., if the value of the counter byte is not correct according to the previous request or response) In the event that the unsupported control option bit is set, the following error message is sent: Name Length Example value Function code 1 byte 2Bh +80h (171d = 43d + 128d) (indicates error) Modbus exception code 1 byte FFh ("extended exception") Extended exception length 2 bytes 2 + length of "supported protocol control" MEI type 1 byte 0Dh Exception code 1 byte AEh Supported protocol control 1 or 2 bytes See following table Bit Name Description 0 "Extended" flag This bit is used if the object dictionary data set is larger than would fit in a Modbus command. The data set then spans over multiple Modbus messages; each message contains part of the data set. "0" = No multiple message transaction or the end of the multiple message transaction. "1" = Part of a multiple message transaction. 1 Extended protocol control Length of the protocol control, the value "0" indicates a length of 1 byte, the value "1" indicates a length of 2 bytes. 2 Counter byte option This bit is set to "1" to indicate that the "counter byte" field is used in this message. If this bit is set to "0", the "counter byte" field does not exist in this message. 3 and 4 Reserved 0 5 Network ID option Not supported, must be "0". 6 Encoded data option Not supported, must be "0". 7 Access flag This bit indicates the access method of the requested command. "0" = read, "1" = write. 8 to 15 Reserved 0 The following example shows an error in the event of a faulty request. The request reads 6061h:00 with a length of 2 bytes, but the object has a size of just 1 byte: Request Response
Error reaction In the event of an error, the following error message is sent: Name Length Example value Function code 1 byte 2Bh +80h (171d = 43d + 128d) (indicates error) Modbus exception code 1 byte FFh ("extended exception") Extended exception length 2 bytes 6 MEI type 1 byte 0Dh Exception code 1 byte CEh Error code 4 bytes CANopen error code, see following table CANopen error code Description FFFF0000h Abort no error FFFF1003h Service is not supported FFFF1004h Gap in counter byte of the Protocol control field FFFF0003h Unknown or invalid command FFFF0008h Access to the object is not supported FFFF000Eh General error in the parameter FFFF0011h Length of parameter incorrect FFFF0012h Parameter too long FFFF0013h Parameter too short FFFF0015h Parameter data outside of the permissible value range (for write commands) FFFF0016h Parameter data exceed the permissible value range (for write commands) FFFF0017h Parameter data below the permissible value range (for write commands) FFFF0018h Maximum entered values less than minimum values FFFF0019h General error FFFF001Eh Requested object is too large for single message FFFF1004h Invalid sequence of messages (e. g., if the value of the counter byte is not correct according to the previous request or response) In the event that the unsupported control option bit is set, the following error message is sent: Name Length Example value Function code 1 byte 2Bh +80h (171d = 43d + 128d) (indicates error) Modbus exception code 1 byte FFh ("extended exception") Extended exception length 2 bytes 2 + length of "supported protocol control" MEI type 1 byte 0Dh Exception code 1 byte AEh Supported protocol control 1 or 2 bytes See following table Bit Name Description 0 "Extended" flag This bit is used if the object dictionary data set is larger than would fit in a Modbus command. The data set then spans over multiple Modbus messages; each message contains part of the data set. "0" = No multiple message transaction or the end of the multiple message transaction. "1" = Part of a multiple message transaction. 1 Extended protocol control Length of the protocol control, the value "0" indicates a length of 1 byte, the value "1" indicates a length of 2 bytes. 2 Counter byte option This bit is set to "1" to indicate that the "counter byte" field is used in this message. If this bit is set to "0", the "counter byte" field does not exist in this message. 3 and 4 Reserved 0 5 Network ID option Not supported, must be "0". 6 Encoded data option Not supported, must be "0". 7 Access flag This bit indicates the access method of the requested command. "0" = read, "1" = write. 8 to 15 Reserved 0 The following example shows an error in the event of a faulty request. The request reads 6061h:00 with a length of 2 bytes, but the object has a size of just 1 byte: Request Response
FC 102 (66h) Read complete array or record This function code is used to read out the complete array or record from the object dictionary. To start or restart the reading out of the array, subfunction code 55h must be sent. This code resets reading out on the object with subindex 00h. All subsequent requests must then contain subfunction code AAh. At the end, once all objects have been read out, an "Error Response" is generated. The format of each "read object" is as follows: Request: Name Length Value / note Slave address 1 byte Function code 1 byte 66h Subfunction code 1 byte 55h or AAh Length of the data 1 byte 00h Index of the array to be read 2 bytes CRC 2 bytes Response: Name Length Value / note Slave address 1 byte 65h Function code 1 byte Subfunction code 1 byte Length of the data 1 byte n times object dictionary frame 1 - 252 bytes CRC 2 bytes An object dictionary frame consists of the following bytes: Name Value / note Index Low Byte 1 byte Index High Byte 1 byte Subindex 1 byte Number of bytes 1 byte Number m of the valid data in the data field Data byte m-1 byte Example All of the following numerical values are in hexadecimal format; the index of the object that is to be read is 2400h. The address of the slave is "5"h. Start reading of the array with request: The response is: Error reaction In the event of an error, the following error message is sent: Name Length Example value Function code 1 byte 2Bh +80h (171d = 43d + 128d) (indicates error) Modbus exception code 1 byte FFh ("extended exception") Extended exception length 2 bytes 6 MEI type 1 byte 0Dh Exception code 1 byte CEh Error code 4 bytes CANopen error code, see following table CANopen error code Description FFFF0000h Abort no error FFFF1003h Service is not supported FFFF1004h Gap in counter byte of the Protocol control field FFFF0003h Unknown or invalid command FFFF0008h Access to the object is not supported FFFF000Eh General error in the parameter FFFF0011h Length of parameter incorrect FFFF0012h Parameter too long FFFF0013h Parameter too short FFFF0015h Parameter data outside of the permissible value range (for write commands) FFFF0016h Parameter data exceed the permissible value range (for write commands) FFFF0017h Parameter data below the permissible value range (for write commands) FFFF0018h Maximum entered values less than minimum values FFFF0019h General error FFFF001Eh Requested object is too large for single message FFFF1004h Invalid sequence of messages (e. g., if the value of the counter byte is not correct according to the previous request or response) In the event that the unsupported control option bit is set, the following error message is sent: Name Length Example value Function code 1 byte 2Bh +80h (171d = 43d + 128d) (indicates error) Modbus exception code 1 byte FFh ("extended exception") Extended exception length 2 bytes 2 + length of "supported protocol control" MEI type 1 byte 0Dh Exception code 1 byte AEh Supported protocol control 1 or 2 bytes See following table Bit Name Description 0 "Extended" flag This bit is used if the object dictionary data set is larger than would fit in a Modbus command. The data set then spans over multiple Modbus messages; each message contains part of the data set. "0" = No multiple message transaction or the end of the multiple message transaction. "1" = Part of a multiple message transaction. 1 Extended protocol control Length of the protocol control, the value "0" indicates a length of 1 byte, the value "1" indicates a length of 2 bytes. 2 Counter byte option This bit is set to "1" to indicate that the "counter byte" field is used in this message. If this bit is set to "0", the "counter byte" field does not exist in this message. 3 and 4 Reserved 0 5 Network ID option Not supported, must be "0". 6 Encoded data option Not supported, must be "0". 7 Access flag This bit indicates the access method of the requested command. "0" = read, "1" = write. 8 to 15 Reserved 0 The following example shows an error in the event of a faulty request. The request reads 6061h:00 with a length of 2 bytes, but the object has a size of just 1 byte: Request Response
Error reaction In the event of an error, the following error message is sent: Name Length Example value Function code 1 byte 2Bh +80h (171d = 43d + 128d) (indicates error) Modbus exception code 1 byte FFh ("extended exception") Extended exception length 2 bytes 6 MEI type 1 byte 0Dh Exception code 1 byte CEh Error code 4 bytes CANopen error code, see following table CANopen error code Description FFFF0000h Abort no error FFFF1003h Service is not supported FFFF1004h Gap in counter byte of the Protocol control field FFFF0003h Unknown or invalid command FFFF0008h Access to the object is not supported FFFF000Eh General error in the parameter FFFF0011h Length of parameter incorrect FFFF0012h Parameter too long FFFF0013h Parameter too short FFFF0015h Parameter data outside of the permissible value range (for write commands) FFFF0016h Parameter data exceed the permissible value range (for write commands) FFFF0017h Parameter data below the permissible value range (for write commands) FFFF0018h Maximum entered values less than minimum values FFFF0019h General error FFFF001Eh Requested object is too large for single message FFFF1004h Invalid sequence of messages (e. g., if the value of the counter byte is not correct according to the previous request or response) In the event that the unsupported control option bit is set, the following error message is sent: Name Length Example value Function code 1 byte 2Bh +80h (171d = 43d + 128d) (indicates error) Modbus exception code 1 byte FFh ("extended exception") Extended exception length 2 bytes 2 + length of "supported protocol control" MEI type 1 byte 0Dh Exception code 1 byte AEh Supported protocol control 1 or 2 bytes See following table Bit Name Description 0 "Extended" flag This bit is used if the object dictionary data set is larger than would fit in a Modbus command. The data set then spans over multiple Modbus messages; each message contains part of the data set. "0" = No multiple message transaction or the end of the multiple message transaction. "1" = Part of a multiple message transaction. 1 Extended protocol control Length of the protocol control, the value "0" indicates a length of 1 byte, the value "1" indicates a length of 2 bytes. 2 Counter byte option This bit is set to "1" to indicate that the "counter byte" field is used in this message. If this bit is set to "0", the "counter byte" field does not exist in this message. 3 and 4 Reserved 0 5 Network ID option Not supported, must be "0". 6 Encoded data option Not supported, must be "0". 7 Access flag This bit indicates the access method of the requested command. "0" = read, "1" = write. 8 to 15 Reserved 0 The following example shows an error in the event of a faulty request. The request reads 6061h:00 with a length of 2 bytes, but the object has a size of just 1 byte: Request Response
Exception codes In case of an error, the following exception codes may be contained in the response depending on the function code: Code Name Description 01 Illegal Function Function code not recognized/allowed 02 Illegal Data Address Register address not valid or does not exist 03 Illegal Data Value Value not valid 04 Device Failure Unrecoverable error For further details, refer to Modbus specification MODBUS APPLICATION PROTOCOL SPECIFICATION V1.1b3.