Modbus
Modbus Protocol Overview[edit | edit source]
Introduction[edit | edit source]
Modbus is a widely used open communication protocol developed by Modicon (now Schneider Electric) in 1979 for industrial automation systems. It is one of the most common protocols used on top of serial communication standards such as RS-485, RS-422, and RS-232, as well as TCP/IP networks (Modbus TCP).
Modbus defines the application layer (message structure and data model) and is independent of the underlying physical layer.
It is widely used in PLC systems, industrial sensors, SCADA systems, energy meters, and embedded devices due to its simplicity and robustness.
Core Principles[edit | edit source]
- Master–slave (client–server) communication model
- Simple request/response mechanism
- No built-in collision handling (handled by master logic or bus topology)
- Device addressing system
- Register-based data model
Modbus Variants[edit | edit source]
- Modbus RTU
- Binary protocol used over serial lines (RS-485, RS-422, RS-232)
- Compact frame format
- CRC error checking
- Most common industrial implementation
- Modbus ASCII
- Human-readable ASCII-based version
- Easier to debug manually
- Slower and less efficient than RTU
- Rare in modern systems
- Modbus TCP
- Ethernet-based version
- Runs over TCP/IP (port 502)
- No CRC (handled by TCP)
- Allows higher scalability and integration with IT networks
Network Architecture[edit | edit source]
- Master–Slave Model (RTU/ASCII)
- One master controls communication
- Multiple slaves respond only when addressed
- Slaves never initiate communication
- Client–Server Model (TCP)
- Master → Client
- Slave → Server
- Multiple clients supported over Ethernet
Addressing[edit | edit source]
- Device addresses: 1–247
- Address 0: Broadcast (no response)
- Each slave must have a unique address on the bus
Incorrect configuration:
- Duplicate addresses → communication conflicts
- Address mismatch → no response
Modbus Frame Structure (RTU)[edit | edit source]
| Address | Function | Data | CRC | | 1 byte | 1 byte | N bytes | 2 bytes |
- Fields
- Address: Slave device ID
- Function: Operation code (read/write)
- Data: Registers, addresses, values
- CRC: Error detection (16-bit)
Common Function Codes[edit | edit source]
| Code | Function | Description |
|---|---|---|
| 01 | Read Coils | Read digital outputs |
| 02 | Read Discrete Inputs | Read digital inputs |
| 03 | Read Holding Registers | Read analog data / configuration |
| 04 | Read Input Registers | Read sensor values |
| 05 | Write Single Coil | Control single digital output |
| 06 | Write Single Register | Write one register value |
| 15 (0x0F) | Write Multiple Coils | Batch digital output control |
| 16 (0x10) | Write Multiple Registers | Batch register write |
Data Model[edit | edit source]
Modbus uses a simple memory-like structure:
- Coils (0xxxx): Digital outputs (read/write)
- Discrete Inputs (1xxxx): Digital inputs (read-only)
- Input Registers (3xxxx): Analog inputs (read-only)
- Holding Registers (4xxxx): Configuration / writable registers
Each register is:
- 16-bit wide
- Big-endian format (MSB first)
Modbus RTU Timing[edit | edit source]
Critical timing requirements:
- Silent interval ≥ 3.5 character times (frame delimiter)
- Inter-character delay ≤ 1.5 character times
- Baud rate typically: 9600–115200 bps
Timing violations cause:
- Frame corruption
- Slave timeout
- Communication errors
Physical Layer Usage[edit | edit source]
Modbus is commonly implemented on:
- RS-485 (most common)
- RS-422 (point-to-multipoint read-only systems)
- RS-232 (single device links)
- Ethernet (Modbus TCP)
RS-485 is preferred due to:
- Multi-drop capability
- Noise immunity
- Long cable support
Termination and Biasing (RS-485 context)[edit | edit source]
When used over RS-485:
- 120 Ω termination at both ends of the bus
- Biasing resistors may be required for idle stability
- Proper grounding is essential for long runs
Modbus itself does NOT define electrical termination — it depends on the physical layer.
Error Handling[edit | edit source]
Modbus RTU uses:
- CRC-16 checksum for error detection
- Timeout-based failure detection
Modbus TCP uses:
- TCP/IP error handling (no CRC in Modbus layer)
No retransmission mechanism is defined in the protocol itself.
Limitations[edit | edit source]
- No built-in encryption or security
- No authentication mechanism
- Limited data types (16-bit registers)
- No standardized device discovery
- Master bottleneck in RTU systems
- No collision handling at protocol level
Advantages[edit | edit source]
- Very simple protocol design
- Lightweight and fast implementation
- Wide industry adoption
- Vendor-independent
- Easy to debug and implement
- Works over multiple physical layers
Applications[edit | edit source]
- Industrial automation (PLC systems)
- SCADA monitoring systems
- Energy meters and smart grids
- HVAC control systems
- Industrial sensors and actuators
- Water treatment systems
- Building automation (BMS)
- Embedded microcontroller systems
Common Implementation Issues[edit | edit source]
- Incorrect register addressing (offset confusion: 0-based vs 1-based)
- Endianness mismatches
- Wrong baud rate or parity settings
- Missing termination on RS-485 bus
- Duplicate slave IDs
- Improper timing in RTU mode
- Mixing Modbus TCP and RTU assumptions
Debugging Tips[edit | edit source]
- Use Modbus analyzer or protocol sniffer
- Verify CRC calculations
- Check baud rate and parity alignment
- Confirm slave address mapping
- Monitor RS-485 differential signal (A-B)
- Test with single slave before expanding network
- Validate register offsets carefully
Security Considerations[edit | edit source]
Modbus has no built-in security mechanisms:
Risks:
- Unauthorized command injection
- Network sniffing (plaintext protocol)
- Device manipulation
Mitigations:
- Network segmentation (industrial VLANs)
- Firewalls and gateways
- Modbus over VPN tunnels
- Protocol wrappers with authentication
Comparison with Other Protocols[edit | edit source]
| Feature | Modbus | CAN Bus | Profibus |
|---|---|---|---|
| Complexity | Low | Medium | High |
| Speed | Medium | Medium | High |
| Topology | Master-slave | Multi-master | Master-slave |
| Security | None | None | Limited |
| Use case | Industrial automation | Automotive / embedded | Industrial systems |
Conclusion[edit | edit source]
Modbus remains one of the most widely used industrial communication protocols due to its simplicity, reliability, and ease of implementation. While it lacks modern security and advanced features, its compatibility with multiple physical layers and broad ecosystem support ensure its continued relevance in industrial and embedded systems.
Proper implementation of timing, addressing, and physical layer design is critical for stable operation.
This page provides a foundational overview of Modbus and should be used alongside RS-485/RS-422 physical layer documentation and device-specific register maps.
See Also[edit | edit source]
External References[edit | edit source]
- Modbus Organization Specification (www.modbus.org)
- Schneider Electric Modbus documentation
- Texas Instruments Modbus over RS-485 application notes
- Analog Devices industrial communication guides
