Transcription

Modbus-IDAMODBUS APPLICATION PROTOCOL SPECIFICATIONV1.1bCONTENTS1Introduction . 221.1 Scope of this document . 2Abbreviations . 23Context . 34General description . 354.1 Protocol description . 34.2 Data Encoding . 64.3 MODBUS Data model . 64.4 MODBUS Addressing model . 74.5 Define MODBUS Transaction . 8Function Code Categories .1065.1 Public Function Code Definition .11Function codes descriptions .126.16.26.36.46.56.66.76.8701 (0x01) Read Coils .1202 (0x02) Read Discrete Inputs.1303 (0x03) Read Holding Registers .1504 (0x04) Read Input Registers .1605 (0x05) Write Single Coil .1706 (0x06) Write Single Register .1907 (0x07) Read Exception Status (Serial Line only) .2008 (0x08) Diagnostics (Serial Line only) .216.8.1 Sub-function codes supported by the serial line devices .226.8.2 Example and state diagram .246.9 11 (0x0B) Get Comm Event Counter (Serial Line only) .256.10 12 (0x0C) Get Comm Event Log (Serial Line only) .266.11 15 (0x0F) Write Multiple Coils .296.12 16 (0x10) Write Multiple registers .306.13 17 (0x11) Report Slave ID (Serial Line only) .326.14 20 (0x14) Read File Record .326.15 21 (0x15) Write File Record .346.16 22 (0x16) Mask Write Register .366.17 23 (0x17) Read/Write Multiple registers .386.18 24 (0x18) Read FIFO Queue .416.19 43 ( 0x2B) Encapsulated Interface Transport .426.20 43 / 13 (0x2B / 0x0D) CANopen General Reference Request and ResponsePDU .436.21 43 / 14 (0x2B / 0x0E) Read Device Identification .44MODBUS Exception Responses .48Annex A (Informative): MODBUS RESERVED FUNCTION CODES, SUBCODES ANDMEI TYPES .51Annex B (Informative): CANOPEN GENERAL REFERENCE COMMAND .51December 28, 2006http://www.Modbus-IDA.org1/51

MODBUS Application Protocol Specification V1.1b1Modbus-IDAIntroduction1.1Scope of this documentMODBUS is an application layer messaging protocol, positioned at level 7 of the OSI model,that provides client/server communication between devices connected on different types ofbuses or networks.The industry’s serial de facto standard since 1979, MODBUS continues to enable millions ofautomation devices to communicate. Today, support for the simple and elegant structure ofMODBUS continues to grow. The Internet community can access MODBUS at a reservedsystem port 502 on the TCP/IP stack.MODBUS is a request/reply protocol and offers services specified by function codes.MODBUS function codes are elements of MODBUS request/reply PDUs. The objective of thisdocument is to describe the function codes used within the framework of MODBUStransactions.MODBUS is an application layer messaging protocol for client/server communication betweendevices connected on different types of buses or networks.It is currently implemented using:y TCP/IP over Ethernet. See MODBUS Messaging Implementation Guide V1.0a.y Asynchronous serial transmission over a variety of media (wire : EIA/TIA-232-E, EIA422, EIA/TIA-485-A; fiber, radio, etc.)yMODBUS PLUS, a high speed token passing network.MODBUS APPLICATION LAYERModbus on TCPTCPIPOtherMODBUS / HDLCMaster / SlaveEthernet II /802.3OtherPhysical layerEIA/TIA-232 orEIA/TIA-485EthernetPhysical layerFigure 1:MODBUS communication stackReferences1. RFC 791, Internet Protocol, Sep81 DARPA2AbbreviationsADUApplication Data UnitHDLC High level Data Link ControlHMIHuman Machine InterfaceIETFInternet Engineering Task ForceI/OInput/OutputDecember 28, 2006http://www.Modbus-IDA.org2/51

MODBUS Application Protocol Specification V1.1bIPInternet ProtocolMACMedium Access ControlMBMODBUS ProtocolModbus-IDAMBAP MODBUS Application ProtocolPDUProtocol Data UnitPLCProgrammable Logic ControllerTCPTransport Control Protocol3ContextThe MODBUS protocol allows an easy communication within all types of networkarchitectures.MODBUS COMMUNICATIONDrivePLCHMII/ OI/ OPLCI/ OMODBUS ON TCP/IPPLCHMIDeviceGatewayMODBUS ON RS485GatewayMODBUS ON RS232MODBUS ON MB GatewayPLCI/ OI/ ODriveI/ ODeviceI/ OFigure 2:Example of MODBUS Network ArchitectureEvery type of devices (PLC, HMI, Control Panel, Driver, Motion control, I/O Device ) can useMODBUS protocol to initiate a remote operation.The same communication can be done as well on serial line as on an Ethernet TCP/IPnetworks. Gateways allow a communication between several types of buses or network usingthe MODBUS protocol.44.1General descriptionProtocol descriptionThe MODBUS protocol defines a simple protocol data unit (PDU) independent of theunderlying communication layers. The mapping of MODBUS protocol on specific buses ornetwork can introduce some additional fields on the application data unit (ADU).December 28, 2006http://www.Modbus-IDA.org3/51

MODBUS Application Protocol Specification V1.1bModbus-IDAADUAdditional addressFunction codeDataError checkPDUFigure 3:General MODBUS frameThe MODBUS application data unit is built by the client that initiates a MODBUS transaction.The function indicates to the server what kind of action to perform. The MODBUS applicationprotocol establishes the format of a request initiated by a client.The function code field of a MODBUS data unit is coded in one byte. Valid codes are in therange of 1 . 255 decimal (the range 128 – 255 is reserved and used for exceptionresponses). When a message is sent from a Client to a Server device the function code fieldtells the server what kind of action to perform. Function code "0" is not valid.Sub-function codes are added to some function codes to define multiple actions.The data field of messages sent from a client to server devices contains additionalinformation that the server uses to take the action defined by the function code. This caninclude items like discrete and register addresses, the quantity of items to be handled, andthe count of actual data bytes in the field.The data field may be nonexistent (of zero length) in certain kinds of requests, in this casethe server does not require any additional information. The function code alone specifies theaction.If no error occurs related to the MODBUS function requested in a properly received MODBUSADU the data field of a response from a server to a client contains the data requested. If anerror related to the MODBUS function requested occurs, the field contains an exception codethat the server application can use to determine the next action to be taken.For example a client can read the ON / OFF states of a group of discrete outputs or inputs orit can read/write the data contents of a group of registers.When the server responds to the client, it uses the function code field to indicate either anormal (error-free) response or that some kind of error occurred (called an exceptionresponse). For a normal response, the server simply echoes to the request the originalfunction code.ClientServerInitiate requestFunction codeData RequestPerform the actionInitiate the responseFunction codeData ResponseReceive the responseFigure 4:MODBUS transaction (error free)For an exception response, the server returns a code that is equivalent to the originalfunction code from the request PDU with its most significant bit set to logic 1.December 28, 2006http://www.Modbus-IDA.org4/51

MODBUS Application Protocol Specification V1.1bClientModbus-IDAServerInitiate requestFunction codeData RequestError detected in the actionInitiate an errorException Function codeReceive the responseFigure 5:Exception codeMODBUS transaction (exception response))Note: It is desirable to manage a time out in order not to indefinitely wait for an answer which will perhapsnever arrive.The size of the MODBUS PDU is limited by the size constraint inherited from the firstMODBUS implementation on Serial Line network (max. RS485 ADU 256 bytes).Therefore:MODBUS PDU for serial line communication 256 - Server address (1 byte) - CRC (2bytes) 253 bytes.Consequently:RS232 / RS485 ADU 253 bytes Server address (1 byte) CRC (2 bytes) 256 bytes.TCP MODBUS ADU 253 bytes MBAP (7 bytes) 260 bytes.The MODBUS protocol defines three PDUs. They are : MODBUS Request PDU, mb req pdu MODBUS Response PDU, mb rsp pdu MODBUS Exception Response PDU, mb excep rsp pduThe mb req pdu is defined as:mb req pdu {function code, request data},wherefunction code [1 byte] MODBUS function code,request data [n bytes] This field is function code dependent and usuallycontains information such as variable references,variable counts, data offsets, sub-function codes etc.The mb rsp pdu is defined as:mb rsp pdu {function code, response data},wherefunction code [1 byte] MODBUS function coderesponse data [n bytes] This field is function code dependent and usuallycontains information such as variable references,variable counts, data offsets, sub-function codes, etc.December 28, 2006http://www.Modbus-IDA.org5/51

MODBUS Application Protocol Specification V1.1bModbus-IDAThe mb excep rsp pdu is defined as:mb excep rsp pdu {exception-function code, request data},whereexception-function code [1 byte] MODBUS function code 0x80exception code [1 byte] MODBUS Exception Code Defined in table"MODBUS Exception Codes" (see section 7 ).4.2 Data EncodingMODBUS uses a ‘big-Endian’ representation for addresses and data items. This meansthat when a numerical quantity larger than a single byte is transmitted, the mostsignificant byte is sent first. So for exampleRegister size16 - bits)4.3value0x1234the first byte sent is0x12then 0x34Note: For more details, see [1] .MODBUS Data modelMODBUS bases its data model on a series of tables that have distinguishing characteristics.The four primary tables are:Primary tablesObject typeType ofDiscretes InputSingle bitRead-OnlyCoilsSingle bitRead-WriteInput Registers16-bit wordRead-OnlyHolding Registers16-bit wordRead-WriteCommentsThis type of data can be provided by an I/O system.This type of data can be alterable by an applicationprogram.This type of data can be provided by an I/O systemThis type of data can be alterable by an applicationprogram.The distinctions between inputs and outputs, and between bit-addressable and wordaddressable data items, do not imply any application behavior. It is perfectly acceptable, andvery common, to regard all four tables as overlaying one another, if this is the most naturalinterpretation on the target machine in question.For each of the primary tables, the protocol allows individual selection of 65536 data items,and the operations of read or write of those items are designed to span multiple consecutivedata items up to a data size limit which is dependent on the transaction function code.It’s obvious that all the data handled via MODBUS (bits, registers) must be located in deviceapplication memory. But physical address in memory should not be confused with datareference. The only requirement is to link data reference with physical address.MODBUS logical reference numbers, which are used in MODBUS functions, are unsignedinteger indices starting at zero. Implementation examples of MODBUS modelThe examples below show two ways of organizing the data in device. There are differentorganizations possible, but not all are described in this document. Each device can have itsown organization of the data according to its applicationExample 1 : Device having 4 separate blocksDecember 28, 2006http://www.Modbus-IDA.org6/51

MODBUS Application Protocol Specification V1.1bModbus-IDAThe example below shows data organization in a device having digital and analog, inputs andoutputs. Each block is separate because data from different blocks have no correlation. Eachblock is thus accessible with different MODBUS functions.Device application memoryMODBUS accessInput DiscreteCoilsMODBUS RequestInput RegistersHoldingRegistersMODBUS SERVER DEVICEFigure 6MODBUS Data Model with separate blockExample 2: Device having only 1 blockIn this example, the device has only 1 data block. The same data can be reached via severalMODBUS functions, either via a 16 bit access or via an access bit.Device application memoryMODBUS accessInput DiscreteRWCoilsRWMODBUS RequestInput RegistersHoldingRegistersMODBUS SERVER DEVICEFigure 74.4MODBUS Data Model with only 1 blockMODBUS Addressing modelThe MODBUS application protocol defines precisely PDU addressing rules.In a MODBUS PDU each data is addressed from 0 to 65535.It also defines clearly a MODBUS data model composed of 4 blocks that comprises severalelements numbered from 1 to n.In the MODBUS data Model each element within a data block is numbered from 1 to n.December 28, 2006http://www.Modbus-IDA.org7/51

MODBUS Application Protocol Specification V1.1bModbus-IDAAfterwards the MODBUS data model has to be bound to the device application ( IEC-61131object, or other application model).The pre-mapping between the MODBUS data model and the device application is totallyvendor device specific.Device applicationMODBUS data modelMODBUS PDU addressesRead input 01Discrete InputCoils.1.5Read coils 4.1Input Registers 2.Read Registers 11.Holding Registers.55Read Registers 54MappingApplication specificMODBUS StandardFigure 8MODBUS Addressing modelThe previous figure shows that a MODBUS data numbered X is addressed in the MODBUSPDU X-1.4.5Define MODBUS TransactionThe following state diagram describes the generic processing of a MODBUS transaction inserver side.December 28, 2006http://www.Modbus-IDA.org8/51

MODBUS Application Protocol Specification V1.1bModbus-IDAWait for a MBindication[Receive MB indication]Validate functioncodeExeptionCode 1[Invalid][Valid]Validate dataAddressExceptionCode 2[Invalid][valid]Validate datavalueExceptionCode 3[Invalid][valid]Execute MBfunctionExceptionCode 4, 5, 6[Invalid][Valid]Send ModbusExceptionResponseFigure 9Send ModbusResponseMODBUS Transaction state diagramOnce the request has been processed by a server, a MODBUS response using theadequate MODBUS server transaction is built.Depending on the result of the processing two types of response are built : A positive MODBUS response : the response function code the request function codeA MODBUS Exception response ( see section 7 ): the objective is to provide to the client relevant information concerning theerror detected during the processing ; the exception function code the request function code 0x80 ; an exception code is provided to indicate the reason of the error.December 28, 2006http://www.Modbus-IDA.org9/51

MODBUS Application Protocol Specification V1.1b5Modbus-IDAFunction Code CategoriesThere are three categories of MODBUS Functions codes. They are :Public Function Codes Are well defined function codes , guaranteed to be unique, validated by the MODBUS-IDA.org community, publicly documented have available conformance test, includes both defined public assigned function codes as well as unassigned functioncodes reserved for future use.User-Defined Function Codes there are two ranges of user-defined function codes, i.e. 65 to 72 and from 100 to110 decimal. user can select and implement a function code that is not supported by thespecification. there is no guarantee that the use of the selected function code will be unique if the user wants to re-position the functionality as a public function code, he mustinitiate an RFC to introduce the change into the public category and to have a newpublic function code assigned. MODBUS Organization, Inc expressly reserves the right to develop the proposedRFC.Reserved Function Codes Function Codes currently used by some companies for legacy products and thatare not available for public use. Informative Note: The reader is asked refer to Annex A (Informative) MODBUSRESERVED FUNCTION CODES, SUBCODES AND MEI TYPES.December 28, 2006http://www.Modbus-IDA.org10/51

MODBUS Application Protocol Specification V1.1bModbus-IDA127PUBLIC function codes110100User Defined Function codesPUBLIC function codes7265User Defined Function codesPUBLIC function codes1Figure 105.1MODBUS Function Code CategoriesPublic Function Code DefinitionPhysical DiscreteInputsBitaccessInternal BitsOrPhysical coilsPhysical InputRegistersDataAccess16 bitsaccessInternal RegistersOrPhysical OutputRegistersFile record accessDiagnosticsOtherDecember 28, 2006Read Discrete InputsFunction CodescodeSub(hex) Sectioncode6.20202Read CoilsWrite Single CoilWrite Multiple Coils01051501050F6.16.56.11Read Input Register04046.4Read Holding RegistersWrite Single RegisterWrite Multiple RegistersRead/Write Multiple RegistersMask Write RegisterRead FIFO queueRead File recordWrite File recordRead Exception statusDiagnosticGet Com event counterGet Com Event LogReport Slave IDRead device IdentificationEncapsulated 061017161814150700-18,20 1/51

MODBUS Application Protocol Specification V1.1bModbus-IDACANopen General Reference643132B6.20Function codes descriptions6.101 (0x01) Read CoilsThis function code is used to read from 1 to 2000 contiguous status of coils in a remotedevice. The Request PDU specifies the starting address, i.e. the address of the first coilspecified, and the number of coils. In the PDU Coils are addressed starting at zero. Thereforecoils numbered 1-16 are addressed as 0-15.The coils in the response message are packed as one coil per bit of the data field. Status isindicated as 1 ON and 0 OFF. The LSB of the first data byte contains the output addressedin the query. The other coils follow toward the high order end of this byte, and from low orderto high order in subsequent bytes.If the returned output quantity is not a multiple of eight, the remaining bits in the final databyte will be padded with zeros (toward the high order end of the byte). The Byte Count fieldspecifies the quantity of complete bytes of data.RequestFunction codeStarting AddressQuantity of coils1 Byte2 Bytes2 Bytes0x010x0000 to 0xFFFF1 to 2000 (0x7D0)1 Byte1 Byten Byte0x01N*n N or N 1ResponseFunction codeByte countCoil Status*N Quantity of Outputs / 8, if the remainder is different of 0 N N 1ErrorFunction codeException code1 Byte1 ByteFunction code 0x8001 or 02 or 03 or 04Here is an example of a request to read discrete outputs 20–38:RequestField NameFunctionStarting Address HiStarting Address LoQuantity of Outputs HiQuantity of Outputs Lo(Hex)0100130013ResponseField NameFunctionByte CountOutputs status 27-20Outputs status 35-28Outputs status 38-36(Hex)0103CD6B05The status of outputs 27–20 is shown as the byte value CD hex, or binary 1100 1101. Output27 is the MSB of this byte, and output 20 is the LSB.By convention, bits within a byte are shown with the MSB to the left, and the LSB to the right.Thus the outputs in the first byte are ‘27 through 20’, from left to right. The next byte hasoutputs ‘35 through 28’, left to right. As the bits are transmitted serially, they flow from LSB toMSB: 20 . . . 27, 28 . . . 35, and so on.In the last data byte, the status of outputs 38-36 is shown as the byte value 05 hex, or binary0000 0101. Output 38 is in the sixth bit position from the left, and output 36 is the LSB of thisbyte. The five remaining high order bits are zero filled.)Note: The five remaining bits (toward the high order end) are zero filled.December 28, 2006http://www.Modbus-IDA.org12/51

MODBUS Application Protocol Specification V1.1bModbus-IDAENTRYMB Server receives mb req pduNOFunction codesupportedYESExceptionCode 01NO0x0001 Quantity of Outputs 0x07D0YESExceptionCode 03NOStarting Address OKANDStarting Address Quantity of Outputs OKYESExceptionCode 02Request ProcessingNOReadDiscreteOutputs OKYESExceptionCode 04MB Server Sends mb rspMB Server Sends mb exception rspFigure 11:6.2EXITRead Coils state diagram02 (0x02) Read Discrete InputsThis function code is used to read from 1 to 2000 contiguous status of discrete inputs in aremote device. The Request PDU specifies the starting address, i.e. the address of the firstinput specified, and the number of inputs. In the PDU Discrete Inputs are addressed startingat zero. Therefore Discrete inputs numbered 1-16 are addressed as 0-15.The discrete inputs in the response message are packed as one input per bit of the data field.Status is indicated as 1 ON; 0 OFF. The LSB of the first data byte contains the inputaddressed in the query. The other inputs follow toward the high order end of this byte, andfrom low order to high order in subsequent bytes.If the returned input quantity is not a multiple of eight, the remaining bits in the final data bytewill be padded with zeros (toward the high order end of the byte). The Byte Count fieldspecifies the quantity of complete bytes of data.RequestFunction code1 Byte0x02Starting Address2 Bytes0x0000 to 0xFFFFQuantity of Inputs2 Bytes1 to 2000 (0x7D0)1 Byte0x02Byte count1 ByteN*Input StatusN* x 1 ByteResponseFunction code*N Quantity of Inputs / 8 if the remainder is different of 0 N N 1ErrorError codeDecember 28, 20061 Byte0x82http://www.Modbus-IDA.org13/51

MODBUS Application Protocol Specification V1.1bException code1 ByteModbus-IDA01 or 02 or 03 or 04Here is an example of a request to read discrete inputs 197 – 218:RequestField NameFunctionStarting Address HiStarting Address LoQuantity of Inputs HiQuantity of Inputs LoResponseField NameFunctionByte CountInputs Status 204-197Inputs Status 212-205Inputs Status 218-213(Hex)0200C40016(Hex)0203ACDB35The status of discrete inputs 204–197 is shown as the byte value AC hex, or binary 10101100. Input 204 is the MSB of this byte, and input 197 is the LSB.The status of discrete inputs 218–213 is shown as the byte value 35 hex, or binary 00110101. Input 218 is in the third bit position from the left, and input 213 is the LSB.)Note: The two remaining bits (toward the high order end) are zero filled.ENTRYMB Server receives m b req pduNOFunction codesupportedYESExceptionCode 01NO0x0001 Quantity of Inputs 0x07D0YESExceptionCode 03NOStarting Address OKANDStarting Address Quantity of Inputs OKYESExceptionCode 02Request ProcessingNOReadDiscreteInputs OKYESExceptionCode 04MB Server Sends m b rspMB Server Sends m b exception rspFigure 12:December 28, 2006EXITRead Discrete Inputs state diagramhttp://www.Modbus-IDA.org14/51

MODBUS Application Protocol Specification V1.1b6.3Modbus-IDA03 (0x03) Read Holding RegistersThis function code is used to read the contents of a contiguous block of holding registers in aremote device. The Request PDU specifies the starting register address and the number ofregisters. In the PDU Registers are addressed starting at zero. Therefore registers numbered1-16 are addressed as 0-15.The register data in the response message are packed as two bytes per register, with thebinary contents right justified within each byte. For each register, the first byte contains thehigh order bits and the second contains the low order bits.RequestFunction codeStarting AddressQuantity of Registers1 Byte2 Bytes2 Bytes0x030x0000 to 0xFFFF1 to 125 (0x7D)1 Byte1 ByteN * x 2 Bytes0x032 x N*1 Byte1 Byte0x8301 or 02 or 03 or 04ResponseFunction codeByte countRegister value*N Quantity of RegistersErrorError codeException codeHere is an example of a request to read registers 108 – 110:RequestField NameFunctionStarting Address HiStarting Address LoNo. of Registers HiNo. of Registers Lo(Hex)03006B0003ResponseField NameFunctionByte CountRegister valueRegister valueRegister valueRegister valueRegister valueRegister valueHi (108)Lo (108)Hi (109)Lo (109)Hi (110)Lo (110)(Hex)0306022B00000064The contents of register 108 are shown as the two byte values of 02 2B hex, or 555 decimal.The contents of registers 109–110 are 00 00 and 00 64 hex, or 0 and 100 decimal,respectively.December 28, 2006http://www.Modbus-IDA.org15/51

MODBUS Application Protocol Specification V1.1bModbus-IDAENTRYMB Server receives mb req pduNOFunction codesupportedYESExceptionCode 01NO0x0001 Quantity of Registers 0x007DYESExceptionCode 03NOStarting Address OKANDStarting Address Quantity of Registers OKYESExceptionCode 02Request ProcessingNOReadMultipleRegisters OKYESExceptionCode 04MB Server Sends mb rspEXITMB Server Sends mb exception rspFigure 13:6.4Read Holding Registers state diagram04 (0x04) Read Input RegistersThis function code is used to read from 1 to 125 contiguous input registers in a remotedevice. The Request PDU specifies the starting register address and the number of registers.In the PDU Registers are addressed starting at zero. Therefore input registers numbered 1-16are addressed as 0-15.The register data in the response message are packed as two bytes per register, with thebinary contents right justified within each byte. For each register, the first byte contains thehigh order bits and the second contains the low order bits.RequestFunction codeStarting AddressQuantity of Input Registers1 Byte2 Bytes2 Bytes0x040x0000 to 0xFFFF0x0001 to 0x007D1 Byte1 ByteN * x 2 Bytes0x042 x N*ResponseFunction codeByte countInput Registers*N Quantity of Input RegistersErrorError codeException code1 Byte1 Byte0x8401 or 02 or 03 or 04Here is an example of a request to read input register 9:RequestField NameFunctionStarting Address HiStarting Address LoDecember 28, 2006(Hex)040008ResponseField NameFunctionByte CountInput Reg. 9 Hihttp://www.Modbus-IDA.org(Hex)04020016/51

MODBUS Application Protocol Specification V1.1bQuantity of Input Reg. HiQuantity of Input Reg. LoModbus-IDAInput Reg. 9 Lo00010AThe contents of input register 9 are shown as the two byte values of 00 0A hex, or 10decimal.ENTRYMB Server receives mb req pduNOFunction codesupportedYESExceptionCode 01NO0x0001 Quantity of Registers 0x007DYESExceptionCode 03NOStarting Address OKANDStarting Address Quantity of Registers OKYESExceptionCode 02Request ProcessingNOReadInputRegisters OKYESExceptionCode 04MB Server Sends mb rspEXITMB Server Sends mb exception rspFigure 14:6.5Read Input Registers state diagram05 (0x05) Write Single CoilThis function code is used to write a single output to either ON or OFF in a remote device.The requested ON/OFF state is specified by a constant in the request data field. A value ofFF 00 hex requests the output to be ON. A value of 00 00 requests it to be OFF. All othervalues are illegal and will not affect the output.The Request PDU specifies the address of the coil to be forced. Coils are addressed startingat zero. Therefore coil numbered 1 is addressed as 0. The requested ON/OFF state isspecified by a constant in the Coil Value field. A value of 0XFF00 requests the coil to be ON.A value of 0X0000 requests the coil to be off. All other values are illegal and will not affectthe coil.The normal response is an echo of the request, returned after the coil state has been written.RequestFunction codeOutput AddressOutput ValueDecember 28, 20061 Byte2 Bytes2 Bytes0x050x0000 to 0xFFFF0x0000 or 0xFF00http://www.Modbus-IDA.org17/51

MODBUS Application Protocol Specification V1.1bModbus-IDAResponseFunction codeOutput AddressOutput Value1 Byte2 Bytes2 Bytes0x050x0000 to 0xFFFF

MODBUS continues to grow. The Internet community can access MODBUS at a reserved system port 502 on the TCP/IP stack. MODBUS is a request/reply protocol and offers services specified by function codes. MODBUS function codes are ele