Skip to main content

Modbus protocol access

fastbeeAbout 3 min

1. Create products and polling tasks

Create a gateway product and a sub-device product first, then establish the topology relationship between the gateway and sub-device. For the topology process, see the Gateway and sub-device document.

After binding, the topology relationship is shown below:

Next, create polling tasks for the sub-device. The following example uses sub-device 01.

1.1 Open the polling task page

Open Sub-device -> Device details -> Polling task.

1.2 Add a polling task

Supported function codes:

Polling interval examples:

Interval
1 minute
3 minutes
5 minutes
10 minutes
20 minutes
30 minutes
...

The task list is shown below:

After the polling task is created, polling commands are automatically delivered when the gateway device comes online.

1.3 Active collection and collect all

Active collection immediately sends a read command and reads the register value corresponding to the selected thing model.

Collect all sends all polling commands and reads all configured register points.

2. Modbus protocol

2.1 Modbus RTU frame

A Modbus RTU message is one complete data frame. In essence, it is a complete sequence of instruction bytes.

image
image

Frame fields:

  • Slave address: each slave has a unique one-byte address. The full range is 0-255; the common valid slave range is 1-247. Address 255 can be used as a broadcast address.
  • Function code: one byte. It defines what the instruction does, such as reading data or writing data.
  • Data: varies by function code. For a read instruction, it usually contains the start address and the number of registers to read.
  • CRC: cyclic redundancy check used to detect transmission errors.

2.2 Modbus function codes

Modbus assigns a function code to each supported operation.

CodeMeaning
01HRead coils
02HRead discrete inputs
03HRead holding registers
04HRead input registers
05HWrite single coil
06HWrite single register
0FHWrite multiple coils
10HWrite multiple registers

2.3 Master reads data from slave

image
image

Example request:

01 03 00 01 00 01 D5 CA

Field explanation:

  • 0x01: slave address.
  • 0x03: function code for reading holding registers.
  • 0x00 0x01: start register address. Reading starts from 0x0001.
  • 0x00 0x01: number of registers to read.
  • 0xD5 0xCA: CRC.

Example response:

Slave addressFunction codeByte countByte 1Byte 2CRC
0x010x030x020x010x000xF8 0x4A

Response explanation:

  • 0x01: slave address.
  • 0x03: read function code.
  • 0x02: returned byte count is 2.
  • 0x00 0x17: register value.
  • 0xF8 0x4A: CRC.

2.4 Master writes data to slave

image
image

Example request:

01 06 00 01 00 17 98 04

Field explanation:

  • 0x01: slave address.
  • 0x06: function code for writing a single register.
  • 0x00 0x01: target register address.
  • 0x00 0x17: value to write.
  • 0x98 0x04: CRC.

The slave returns the same frame after a successful write.

0106000100179804
0x010600 0100 1798 04
Slave addressFunction codeData addressDataCRC

2.5 Read command field example

0103020017F84A
0x010300 0100 01D5 CA
Slave addressFunction codeData addressNumber of valuesCRC

2.6 Message example

Read registers 40005 and 40006, assuming the slave address is 1.

Downstream message:

01 03 00 04 00 02 85 ca
Slave addressFunction codeStart register addressNumber of registersCRC
010300 0400 0285 ca

Upstream message:

01 03 04 00 00 00 00 21 33
Slave addressFunction codeReturned byte countRegister 40005 dataRegister 40006 dataCRC
01030400 0000 0021 33

2.7 Common Modbus RTU function codes

Data typeRead function codeWrite function codeObject type
Discrete input02-Single bit
Coil status0105, 15Single bit
Input register04-16-bit word
Holding register0306, 1616-bit word

2.8 Register start addresses

Data typeParameter address / register number
Discrete input00001-0FFFF
Coil status10001-1FFFF
Input register30001-3FFFF
Holding register40001-4FFFF
Last update:
Contributors: kerwincui
fastbee
Copyright © 2026 fastbee