Click on any tab above to log in.

Modbus Notes

Review of Modbus Register Types

The types of registers referenced in Modbus devices include the following:
• Coil (Discrete Output)
• Discrete Input
• Input Register
• Holding Register

Whether a particular device includes all of these register types is up to the manufacturer. It is very common to find all I/O mapped to holding registers only. Coils are 1-bit registers, are used to control discrete outputs, and may be read or written. Discrete Inputs are 1-bit registers used as inputs, and may only be read. Input registers are 16-bit registers used for input, and may only be read. Holding registers are the most universal 16-bit register, may be read or written, and may be used for a variety of things including inputs, outputs, configuration data, or any requirement for "holding" data.

Control Solutions gateways will support all register types when the gateway is the master, or when operating in direct mode (Babel Buster SP-GW). Control Solutions gateways that connect a non-Modbus device to a Modbus network use only holding registers to represent the non-Modbus device data (e.g. copy LonWorks network variable data to holding registers).

Most Control Solutions I/O devices use only holding registers for all types of inputs and outputs. This convention originated with the introduction of configurable hardware that could map any type of input or output to the same register.

Review of Modbus Function Codes

Modbus protocol defines several function codes for accessing Modbus registers. There are four different data blocks defined by Modbus, and the addresses or register numbers in each of those overlap. Therefore, a complete definition of where to find a piece of data requires both the address (or register number) and function code (or register type).

The function codes most commonly recognized by Modbus devices are indicated in the table below. This is only a subset of the codes available - several of the codes have special applications that most often do not apply.

Modbus Function Codes Recognized by CSI Gateways
Master (client) Slave (server) 
Function CodeRegister TypeFunction CodeRegister Type
1Read Coil  
2Read Discrete Input  
3Read Holding Registers3Read Holding Registers
4Read Input Registers  
5Write Single Coil  
6Write Single Holding Register6Write Single Holding Register
15Write Multiple Coils  
16Write Multiple Holding Registers16Write Multiple Holding Registers

Codes listed in the Master column are those which a Control Solutions Master may use to query a remote slave. Codes listed in the Slave column are those that Control Solutions slave devices will respond to when queried by an external master. The Babel Buster SP-GW gateway is one exception. The Babel Buster SP-GW will pass through all function codes.

Modbus: When #1 does not always mean Register #1

Documentation for Modbus is not well standardized. Actually there is a standard, but not well followed when it comes to documentation. You will have to do one or more of the following to decipher which register a manufacturer is really referring to:

a) Look for the register description, such as holding register, coil, etc. If the documentation says #1, and tells you they are holding registers, then you have holding register #1. You also have user friendly documentation.

b) Look at the numbers themselves. If you see the first register on the list having a number 40001, that really tells you register #1, and it is a holding register. This form of notation is often referred to as the old Modicon convention.

c) Look for a definition of function codes to be used. If you see a register #1, along with notation telling you to use function codes 3 and 16, that also tells you it is holding register #1.

IMPORTANT: Register 1 is address 0. Read on…

d) Do the numbers in your documentation refer to the register number or address? Register #1 is address zero. If it is not clear whether your documentation refers to register or address, and you are not getting the expected result, try plus or minus one for register number. All Control Solutions products refer to register numbers in configuration software or web pages. However, some manufacturers document their devices showing address, not register numbers. When you have addresses, you must add one when entering that register into configuration software from Control Solutions.

40001: Modicon convention notation for Modbus registers

Modbus was originally developed by Gould-Modicon, which is presently Schneider Electric. The notation originally used by Modicon is still often used today, even though considered obsolete by present Modbus-IDA standards. The advantage in using the Modicon notation is that two pieces of information are included in a single number: (a) The register type; (b) The register number. A register number offset defines the type.

Note: Only the LonWorks versions of Babel Buster gateways use this notation as short hand to conserve CP space. Many other equipment manufacturers still use this convention in their products. Depending on which combination of products you are using, you may have to translate between Modicon and current conventions.

The types of registers referenced in Modbus devices, and supported by Babel Buster gateways, include the following:
• Coil (Discrete Output)
• Discrete Input
• Input Register
• Holding Register

Valid address ranges as originally defined for Modbus were 0 to 9999 for each of the above register types. Valid ranges allowed in the current specification are 0 to 65,535. The address range originally supported by Babel Buster gateways was 0 to 9999. The extended range addressing was later added to all new Babel Buster products that use this notation.

The address range applies to each type of register, and one needs to look at the function code in the Modbus message packet to determine what register type is being referenced. The Modicon convention uses the first digit of a register reference to identify the register type. 

Register types and reference ranges recognized by Babel Buster (LonWorks) gateways are as follows:

0x = Coil = 00001-09999
1x = Discrete Input = 10001-19999
3x = Input Register = 30001-39999
4x = Holding Register = 40001-49999

Translating references to addresses, reference 40001 selects the holding register at address 0000 (also referred to as register number 1). The reference 40001 will appear in documentation and is used to define the Modbus register in the location property of the functional block in a LonWorks gateway. The address 0000 will be transmitted in the message packet. Addresses are often not directly used by the application or the user.

On occasion, it is necessary to access more than 10,000 of a register type. Based on the original convention, there is another defacto standard that looks very similar. Additional register types and reference ranges recognized by Babel Buster (LonWorks) gateways are as follows:

0x = Coil = 000001-065535
1x = Discrete Input = 100001-165535
3x = Input Register = 300001-365535
4x = Holding Register = 400001-465535

When using the extended register referencing, it is mandatory that all register references be exactly six digits. This is the only way Babel Buster will know the difference between holding register 40001 and coil 40001. If coil 40001 is the target, it must appear as 040001.

If registers are 16-bits, how do I read Floating Point or 32-bit data?

Modbus protocol defines a holding register as 16 bits wide; however, there is a widely used defacto standard for reading and writing data wider than 16 bits. The most common are IEEE 754 floating point, and 32-bit integer. The convention may also be extended to double precision floating point and 64-bit integer data.

The wide data simply consists of two consecutive "registers" treated as a single wide register. Floating point in 32-bit IEEE 754 standard, and 32-bit integer data, are widely used. Although the convention of register pairs is widely recognized, agreement on whether the high order or low order register should come first is not standardized. For this reason, many devices, including all Control Solutions gateways, support a "swapped" option. This means you simply check the "swapped" option if the other device treats wide data in the opposite order relative to Control Solutions default order.

Control Solutions Modbus products all default to placing the high order register first, or in the lower numbered register. This is known as "big endian", and is consistent with Modbus protocol which is by definition big endian.

How to I read individual bits in a register?

The bit mask shown in the expanded form of the RTU read map is a 4 digit hexadecimal (16 bit) value used to mask out one or more bits in a register. The selected bits will be right justified, so a single bit regardless of where positioned in the source register will be stored locally as 0 or 1. The notation of register number followed by a colon and number from 0 to 15 indicates a single bit picked from that register. The hex bit mask values would be as follows, assuming a register number of 40001.

40001:0 mask: 0001
40001:1 mask: 0002
40001:2 mask: 0004
40001:3 mask: 0008
40001:4 mask: 0010
40001:5 mask: 0020
40001:6 mask: 0040
40001:7 mask: 0080
40001:8 mask: 0100
40001:9 mask: 0200
40001:10 mask: 0400
40001:11 mask: 0800
40001:12 mask: 1000
40001:13 mask: 2000
40001:14 mask: 4000
40001:15 mask: 8000

Sometimes a 16-bit register is used to hold two 8-bit values. To strip bytes using the bit mask, you would enter the following:

Low byte mask: 00FF
High byte mask: FF00

Can I put 2 gateways on the same Modbus network?

You can not have more than one Master on a Modbus RTU (RS-485) network. Therefore, if the gateway is to be configured as the Master, you can only have 1 gateway. You cannot use multiple gateways to read more points from the same Modbus slave device.

Multiple gateways configured as slaves can reside on the same Modbus RS-485 network.

How many devices can I have on a Modbus network?

Logically you can address over 250 devices; however, the RS-485 transceivers are not capable of physically driving that many devices. Modbus protocol states that the limit is 32 devices, and most RS-485 transceivers will agree with this. Only if all devices on the network have low load transceivers can you have more than 32 devices.