Modbus: Difference between revisions

From BMSpedia
Jump to navigation Jump to search
← Older editNewer edit →
AlexDriv (talk | contribs)
Bureaucrats, Interface administrators, Administrators
75 edits
VisualWikitext
No edit summary
No edit summary
Line 1: Line 1:
= Modbus =
=== Baud Rate ===


[[File:modbus_baudrate_diagram.png|thumb|400px|right|Diagram showing how baud rate affects the time width of each bit on the signal line.]]


== Overview ==
'''Baud rate''' defines the number of signal changes per second on the communication line. In Modbus RTU, one symbol = one binary bit, so baud rate = bits per second.


Modbus is an open, serial communication protocol originally developed for use in programmable logic controllers (PLCs). It has since become one of the most widely deployed industrial communication protocols in the world, particularly in Building Management Systems (BMS), SCADA environments, energy metering, and industrial automation.
==== Common Baud Rate Values ====
 
Modbus operates on a master-slave (also referred to as client-server in newer documentation) architecture, where a single master device initiates all communication and one or more slave devices respond. It is valued for its simplicity, robustness, and vendor-neutral design — making it ideal for integrating devices from multiple manufacturers into a unified control system.
 
In BMS applications, Modbus is commonly used to communicate with energy meters, variable frequency drives (VFDs), chillers, boilers, air handling units (AHUs), and a wide range of sensors and actuators.
 
----
 
== History ==
 
Modbus was developed in 1979 by Modicon (now a brand of Schneider Electric) for use with their programmable logic controllers. It was designed as a simple and robust protocol for serial communication between controllers on a production floor.
 
In 1996, Modbus over TCP/IP (Modbus TCP) was introduced, allowing the protocol to be used over modern Ethernet networks. This dramatically expanded its use cases and kept it relevant into the internet era.
 
In 2004, the rights to the Modbus specification were transferred to the Modbus Organization, a non-profit trade association that maintains and promotes the standard to this day. The protocol remains publicly available and royalty-free, which is a significant reason for its continued adoption over proprietary alternatives.
 
Today Modbus exists in three primary variants: Modbus RTU and Modbus ASCII (both for serial communication), and Modbus TCP/IP (for Ethernet communication).
 
----
 
== Protocol Architecture ==
 
=== Master-Slave Model ===
 
Modbus uses a strict master-slave architecture. There is always one master and up to 247 addressable slave devices on a single serial bus. Each slave is assigned a unique address between 1 and 247. Address 0 is reserved for broadcast messages, which all slaves receive but do not respond to.
 
The master is always the initiator of communication. A slave device never transmits data unless it has first been queried by the master. This eliminates bus collisions and keeps the protocol deterministic — an important quality in control systems where timing and reliability are critical.
 
In a BMS context, the master is typically the Building Management Controller (BMC) or a gateway device, and the slaves are field devices such as energy meters, controllers, or sensors.
 
=== Request-Response Cycle ===
 
Every Modbus transaction follows a simple two-step cycle:
 
# The '''master''' sends a request frame to a specific slave address (or broadcast to address 0).
# The '''slave''' receives the request, processes it, and returns a response frame to the master.
 
If the slave receives a valid request but cannot comply (e.g. the register address does not exist), it returns an '''exception response''' containing an error code. If the master receives no response within its configured timeout window, it may retry the request or log a communication fault.
 
A full Modbus RTU frame consists of the following fields in order:


{| class="wikitable"
{| class="wikitable"
|-
|-
! Field !! Size !! Description
! Baud Rate !! Bits per Second !! Typical Use Case
|-
| 1200 || 1,200 bps || Legacy devices, long cable runs
|-
| 2400 || 2,400 bps || Older meters and sensors
|-
| 4800 || 4,800 bps || Moderate speed legacy devices
|-
| 9600 || 9,600 bps || '''Most common default'''
|-
|-
| Device Address || 1 byte || Slave address (1–247), or 0 for broadcast
| 19200 || 19,200 bps || Standard BMS installations
|-
|-
| Function Code || 1 byte || Defines the type of action requested
| 38400 || 38,400 bps || Higher performance systems
|-
|-
| Data || Variable || Register addresses, values, or quantities
| 57600 || 57,600 bps || Fast networks, shorter cable runs
|-
|-
| CRC || 2 bytes || Error checking (Cyclic Redundancy Check)
| 115200 || 115,200 bps || Maximum practical RS-485 speed
|}
|}


----
==== How Baud Rate Affects the Signal ====


== Transmission Modes ==
Each bit occupies a fixed time window: <code>Bit Period = 1 / Baud Rate</code>


=== Modbus RTU ===
At 9600 baud each bit lasts '''104 microseconds'''. At 115200 baud each bit lasts '''8.7 microseconds'''.


Modbus RTU (Remote Terminal Unit) is the most common implementation of the protocol in BMS and industrial environments. Data is transmitted as binary bytes over an RS-232 or RS-485 serial connection.
{{Mbox
|type=notice
|text=
'''Modbus RTU — Bit-Level Breakdown: Single Byte at 9600 Baud, 8N1'''


Each byte of data is encoded as a single binary character. The framing of messages is defined by silent intervals (gaps) between characters — a gap of at least 3.5 character times signals the start or end of a message frame.
The byte <code>0x41</code> (decimal 65) on the RS-485 wire at 9600 baud:


RTU is preferred over ASCII for most applications because it is more efficient: it transmits the same data in roughly half the number of bytes, making better use of available bandwidth.
<pre>
Bit:     Start  D0  D1  D2  D3  D4  D5  D6  D7  Stop
Value:    0    1    0    0    0    0    0    1    0    1
µs each: 104µs per bit window
</pre>


Key characteristics:
* '''Start bit''' (1 bit, always 0): Pulls line LOW — signals receiver to begin reading
* Binary encoding
* '''D0–D7''' (8 bits): Binary data, transmitted LSB first. <code>0x41</code> = <code>01000001</code> → wire order: 1,0,0,0,0,0,1,0
* CRC-16 error checking
* '''Stop bit''' (1 bit, always 1): Returns line HIGH — marks end of byte
* Message framing via inter-character silence (3.5 character times)
* Physical layer: RS-485 (most common), RS-232, RS-422


=== Modbus ASCII ===
Total frame = 10 bits × 104µs = '''1.04ms per byte'''
}}


Modbus ASCII transmits data as ASCII text characters rather than raw binary. Each byte of data is represented as two hexadecimal ASCII characters (e.g. the byte <code>0x5B</code> is sent as the characters <code>5</code> and <code>B</code>).
{{Mbox
|type=notice
|text=
'''Modbus RTU — Full Message Example: FC03 Read Holding Register'''


ASCII mode uses a colon (<code>:</code>) as a start delimiter and CR/LF characters as an end delimiter. It uses LRC (Longitudinal Redundancy Check) for error checking rather than CRC.
Master reads 1 holding register (address 0x0000 = register 40001) from slave address 0x01.


ASCII mode is less bandwidth-efficient than RTU but is easier to debug with simple terminal tools and is more tolerant of timing variations on noisy or slow serial lines. It is rarely used in modern BMS installations.
'''Frame in hex — 8 bytes total:'''
<pre>
Byte:  [  1  ] [  2  ] [  3  ] [  4  ] [  5  ] [  6  ] [  7  ] [  8  ]
Field: [Slave ] [ FC  ] [RegHi] [RegLo] [QtyHi] [QtyLo] [CRCLo] [CRCHi]
Hex:  [ 0x01 ] [0x03 ] [0x00 ] [0x00 ] [0x00 ] [0x01 ] [0x84 ] [0x0A ]
</pre>


=== Modbus TCP/IP ===
'''Each byte in Modbus RTU binary (8N1, LSB first, 9600 baud):'''
<pre>
Byte 1 — Slave Address 0x01 (00000001):
  [S] D0  D1  D2  D3  D4  D5  D6  D7 [P]
  0  1  0  0  0  0  0  0  0  1


Modbus TCP/IP wraps the standard Modbus PDU (Protocol Data Unit) inside a TCP packet and transmits it over a standard Ethernet network. It uses port '''502''' by default.
Byte 2 — Function Code 0x03 (00000011):
  [S] D0  D1  D2  D3  D4  D5  D6  D7 [P]
  0  1  1  0  0  0  0  0  0  1


The serial-specific fields (device address and CRC) are replaced by a '''MBAP header''' (Modbus Application Protocol header), which contains a transaction identifier, protocol identifier, message length, and unit identifier.
Byte 3 — Register Address High 0x00 (00000000):
  [S] D0  D1  D2  D3  D4  D5  D6  D7 [P]
  0  0  0  0  0  0  0  0  0  1


Modbus TCP removes the need for RS-485 wiring and allows Modbus devices to be integrated into IP-based building networks. Many modern BMS gateways and energy meters support Modbus TCP natively or via an RS-485-to-Ethernet converter.
Byte 4 — Register Address Low 0x00 (00000000):
  [S] D0  D1  D2  D3  D4  D5  D6  D7 [P]
  0  0  0  0  0  0  0  0  0  1


----
Byte 5 — Quantity High 0x00 (00000000):
  [S] D0  D1  D2  D3  D4  D5  D6  D7 [P]
  0  0  0  0  0  0  0  0  0  1


== Communication Parameters ==
Byte 6 — Quantity Low 0x01 (00000001):
  [S] D0  D1  D2  D3  D4  D5  D6  D7 [P]
  0  1  0  0  0  0  0  0  0  1


Communication parameters are the settings that define how data is physically transmitted between the master and slave devices on a serial Modbus network. All devices on the same bus '''must be configured with identical parameters''' a mismatch in any one setting will cause communication failures.
Byte 7 CRC Low 0x84 (10000100):
  [S] D0  D1  D2  D3  D4  D5  D6  D7 [P]
  0  0  0  1  0  0  0  0  1  1


The parameters covered here apply primarily to Modbus RTU and Modbus ASCII (serial variants). Modbus TCP uses standard IP networking parameters instead.
Byte 8 — CRC High 0x0A (00001010):
  [S] D0  D1  D2  D3  D4  D5  D6  D7 [P]
  0  0  1  0  1  0  0  0  0  1


----
[S] = Start bit (always 0)   [P] = Stop bit (always 1)
 
</pre>
=== Baud Rate ===
 
[[File:modbus_baudrate_diagram.png|thumb|400px|right|Diagram showing how baud rate affects the time width of each bit on the signal line. A higher baud rate means narrower bit windows and faster data transmission.]]
 
'''Baud rate''' defines the number of signal changes (symbols) per second on the communication line. In the context of Modbus serial communication, one symbol corresponds to one binary bit, so baud rate is effectively the number of bits transmitted per second (bps).
 
==== Common Baud Rate Values ====


'''What each field does:'''
{| class="wikitable"
{| class="wikitable"
|-
|-
! Baud Rate !! Bits per Second !! Typical Use Case
! Bytes !! Field !! Value !! Purpose
|-
| 1200 || 1,200 bps || Legacy devices, long cable runs with poor quality cable
|-
| 2400 || 2,400 bps || Older meters and sensors
|-
|-
| 4800 || 4,800 bps || Moderate speed legacy devices
| 1 || Slave Address || 0x01 || Target device on the RS-485 bus
|-
|-
| 9600 || 9,600 bps || '''Most common default''' — widely supported by all devices
| 2 || Function Code || 0x03 || Instruction: Read Holding Registers
|-
|-
| 19200 || 19,200 bps || Standard BMS installations with moderate device counts
| 3–4 || Starting Address || 0x0000 || Begin at register 0 (Modbus register 40001)
|-
|-
| 38400 || 38,400 bps || Higher performance systems
| 5–6 || Quantity || 0x0001 || Read 1 register (16-bit value)
|-
|-
| 57600 || 57,600 bps || Fast networks, shorter cable runs
| 7–8 || CRC-16 || 0x0A84 || Error check — slave silently discards frame if CRC fails
|-
| 115200 || 115,200 bps || Maximum practical speed for RS-485 in most installations
|}
|}


The default baud rate for Modbus RTU is '''9600 bps''', though 19200 bps is very common in BMS environments.
'''Transmission time at 9600 baud, 8N1:'''
 
8 bytes × 10 bits = 80 bits → 80 × 104µs = '''8.32ms''' to send the full request frame
==== How Baud Rate Looks in Binary ====
 
Each bit occupies a fixed time window called the '''bit period''', calculated as:
 
<code>Bit Period = 1 / Baud Rate</code>
 
At 9600 baud, each bit lasts approximately '''104 microseconds'''. At 115200 baud, each bit lasts approximately '''8.7 microseconds'''.
 
{{Mbox
|type=notice
|text=
'''Binary Signal Breakdown — Baud Rate Example'''
 
Below is what the byte <code>0x41</code> (decimal 65, ASCII "A") looks like on the wire at 9600 baud in Modbus RTU (8N1 framing):
 
<pre>
Bit:   Start  D0  D1  D2  D3  D4  D5  D6  D7  Stop
Value:    0    1    0    0    0    0    0    1    0    1
        ___                          ___
    ____|  |________________________|  |________  (idle high = 1, start bit pulls low)
</pre>
 
What each position means:
* '''Start bit''' (1 bit): Always logic 0. Signals the beginning of a byte. Pulls the line LOW.
* '''D0–D7''' (8 bits): The actual data byte, transmitted LSB (least significant bit) first. For <code>0x41</code> = <code>01000001</code> binary, the wire sends: 1, 0, 0, 0, 0, 0, 1, 0 (LSB first).
* '''Stop bit''' (1 bit): Always logic 1. Returns line HIGH, signalling end of byte.
 
Total bits per byte at 8N1 = 10 bits (1 start + 8 data + 1 stop).
At 9600 baud, one full byte takes: 10 × 104µs = '''1.04 milliseconds'''.
}}
}}


==== Effect on Cable Length ====
==== Effect on Cable Length ====


Higher baud rates require better quality cabling and are more sensitive to signal degradation over distance. As a general rule:
* 9600 baud — up to ~1200m on good RS-485 twisted pair
 
* 19200 baud — up to ~600m
* 9600 baud — reliable up to approximately 1200 metres on good RS-485 cable
* 115200 baud — up to ~100m
* 19200 baud — reliable up to approximately 600 metres
* 115200 baud — reliable up to approximately 100 metres


----
----
Line 176: Line 135:
=== Parity ===
=== Parity ===


[[File:modbus_parity_diagram.png|thumb|400px|right|Diagram illustrating Even, Odd, and No parity bit positions within a serial data frame. The parity bit is inserted between the last data bit and the stop bit.]]
[[File:modbus_parity_diagram.png|thumb|400px|right|Parity bit position within a Modbus RTU serial frame.]]
 
'''Parity''' is a basic error detection mechanism. It adds a single extra bit to each transmitted byte, allowing the receiver to detect single-bit transmission errors.


The parity bit is placed after the 8 data bits and before the stop bit(s). It adjusts the total number of 1s in the data frame to be either always even (Even parity) or always odd (Odd parity).
'''Parity''' adds a single calculated bit after the 8 data bits in each Modbus RTU character frame, providing basic single-bit error detection at the byte level. CRC-16 handles error detection at the full message level.


==== Parity Modes ====
==== Parity Modes ====
Line 186: Line 143:
{| class="wikitable"
{| class="wikitable"
|-
|-
! Mode !! Abbreviation !! Description
! Mode !! Code !! Description
|-
|-
| Even Parity || E || The parity bit is set so that the total number of 1 bits in the data byte + parity bit is '''even'''
| Even || E || Parity bit makes total count of 1s in the frame even
|-
|-
| Odd Parity || O || The parity bit is set so that the total number of 1 bits in the data byte + parity bit is '''odd'''
| Odd || O || Parity bit makes total count of 1s in the frame odd
|-
|-
| No Parity || N || No parity bit is transmitted. Error checking relies on CRC only. Requires 2 stop bits in Modbus RTU to maintain frame timing.
| None || N || No parity bit. 2 stop bits recommended per Modbus spec to maintain frame length.
|-
|-
| Mark Parity || M || Parity bit is always 1, regardless of data. Rarely used.
| Mark || M || Parity bit always 1. Rarely used.
|-
|-
| Space Parity || S || Parity bit is always 0, regardless of data. Rarely used.
| Space || S || Parity bit always 0. Rarely used.
|}
|}


The Modbus specification recommends '''Even parity''' as the default. However, '''8N1''' (8 data bits, No parity, 1 stop bit) is extremely common in practice and is the de facto standard for most BMS devices.
The Modbus RTU specification recommends '''Even parity''' as default. In practice '''8N1''' (no parity, 1 stop bit) is the most common configuration in BMS installations.
 
==== How Parity Looks in Binary ====


{{Mbox
{{Mbox
|type=notice
|type=notice
|text=
|text=
'''Binary Signal Breakdown Parity Bit Example'''
'''Modbus RTU — Bit-Level Breakdown: Parity Bit Calculation'''


Example byte: <code>0x31</code> = binary <code>00110001</code>
Example byte: <code>0x31</code> = binary <code>00110001</code>
Count of 1-bits in data = 3


Count of 1 bits: 3 (three 1s in the data byte)
'''Even Parity (8E1)''' — 3 is odd, so parity bit = 1 to reach even total (3+1=4):
<pre>
Bit:  [S]  D0  D1  D2  D3  D4  D5  D6  D7  [Par] [P]
Value:  0    1  0  0  0  1  1  0  0    1    1
</pre>


'''Even Parity:'''
'''Odd Parity (8O1)''' — 3 is already odd, so parity bit = 0 to keep total odd (3+0=3):
Since there are already 3 ones (odd count), the parity bit is set to '''1''' to make the total even (3 + 1 = 4, which is even).
<pre>
Bit:  [S]  D0  D1  D2  D3  D4  D5  D6  D7  [Par] [P]
Value:  0    1  0  0  0  1  1  0  0    0    1
</pre>


'''No Parity (8N1)''' — no parity bit, one stop bit only:
<pre>
<pre>
Bit:   Start D0   D1   D2   D3   D4   D5   D6   D7   Par Stop
Bit:   [S] D0 D1 D2 D3 D4 D5 D6 D7  [P]
Value:   0    1   0   0   0   1   1   0   0   1   1
Value: 0    1   0   0   0   1   1   0   0    1
</pre>
</pre>


'''Odd Parity:'''
'''No Parity (8N2)''' — no parity bit, two stop bits to maintain 11-bit frame:
Since there are already 3 ones (odd count), the parity bit is set to '''0''' to keep the total odd (3 + 0 = 3, which is odd).
 
<pre>
<pre>
Bit:   Start D0   D1   D2   D3   D4   D5   D6   D7   Par Stop
Bit:   [S] D0 D1 D2 D3 D4 D5 D6 D7  [P1] [P2]
Value:   0    1   0   0   0   1   1   0   0    0   1
Value: 0    1   0   0   0   1   1   0   0    1   1
</pre>
</pre>


'''No Parity (8N1):'''
[S] = Start bit  [Par] = Parity bit  [P] = Stop bit
No parity bit at all. An extra stop bit is added to maintain frame length.
}}
 
{{Mbox
|type=notice
|text=
'''Modbus RTU — Full Message Example: FC03 Request with Even Parity (8E1)'''
 
Same request as the Baud Rate example — slave 0x01, FC03, register 0x0000, quantity 0x0001, CRC 0x840A — but now shown with Even parity applied to every byte.
 
Parity bit rule: count the 1s in D0–D7. If count is odd → parity = 1. If count is even → parity = 0.


<pre>
<pre>
Bit:   Start D0   D1  D2   D3   D4   D5   D6   D7   Stop Stop
Byte 1 — Slave 0x01 (00000001) — one 1-bit → parity = 1:
Value:    0    1    0    0    0    1   1    0    0    1   1
  [S] D0 D1 D2  D3  D4  D5  D6  D7  [Par] [P]
</pre>
  0    1   0   0   0   0   0   0   0    1    1
 
Byte 2 — FC 0x03 (00000011) — two 1-bits → parity = 0:
  [S]  D0  D1  D2  D3  D4  D5  D6  D7  [Par] [P]
   0    1   1  0  0  0  0  0  0   0     1
 
Byte 3 — RegHi 0x00 (00000000) — zero 1-bits → parity = 0:
  [S]  D0  D1  D2  D3  D4  D5  D6  D7  [Par] [P]
   0    0  0  0  0  0  0  0  0    0    1
 
Byte 4 — RegLo 0x00 (00000000) — zero 1-bits → parity = 0:
  [S]  D0  D1  D2  D3  D4  D5  D6  D7  [Par] [P]
   0    0  0  0  0  0  0  0  0    0    1


What each position means:
Byte 5 — QtyHi 0x00 (00000000) — zero 1-bits → parity = 0:
* '''Start bit''': Always 0. Triggers the receiver to start reading.
  [S]  D0  D1  D2  D3  D4  D5  D6  D7  [Par] [P]
* '''D0–D7''': The 8 data bits (LSB first).
  0    0  0  0  0  0  0  0  0    0    1
* '''Parity bit''': Calculated from the data bits. Used to detect single-bit errors.
* '''Stop bit(s)''': Always 1. Marks the end of the character frame.
}}


==== Parity Limitation ====
Byte 6 — QtyLo 0x01 (00000001) — one 1-bit → parity = 1:
  [S]  D0  D1  D2  D3  D4  D5  D6  D7  [Par] [P]
  0    1  0  0  0  0  0  0  0    1    1


Parity can only detect an '''odd number''' of bit errors. If two bits flip simultaneously (double-bit error), the parity check will still pass even though the data is wrong. This is why Modbus RTU also uses CRC-16 at the message level the two mechanisms complement each other.
Byte 7 — CRCLo 0x84 (10000100) — two 1-bits → parity = 0:
  [S]  D0  D1  D2  D3  D4  D5  D6  D7  [Par] [P]
  0    0  0  1  0  0  0  0  1    0    1


----
Byte 8 — CRCHi 0x0A (00001010) — two 1-bits → parity = 0:
  [S]  D0  D1  D2  D3  D4  D5  D6  D7  [Par] [P]
  0    0  1  0  1  0  0  0  0    0    1
</pre>


=== Data Bits ===
8E1 framing = 11 bits per byte (1 start + 8 data + 1 parity + 1 stop)
8 bytes × 11 bits = 88 bits → at 9600 baud = '''9.17ms''' to transmit the full request


[[File:modbus_databits_diagram.png|thumb|400px|right|Diagram showing the position of data bits within a serial frame. Data bits D0 through D7 carry the actual payload, transmitted LSB first.]]
The parity bit is recalculated independently for each byte — it is not a fixed value across the frame.
}}


'''Data bits''' refers to the number of bits used to represent each unit of data (one character or byte) within a single serial frame.
----


In Modbus, this value is virtually always '''8 data bits'''. Using 8 bits allows each frame to carry one full byte of information, which aligns directly with how Modbus RTU encodes its binary protocol data.
=== Data Bits ===


The only exception is Modbus ASCII, which can operate with 7 data bits because it uses only printable ASCII characters (all of which fit within 7 bits).
[[File:modbus_databits_diagram.png|thumb|400px|right|Data bit positions D0–D7 within a Modbus RTU character frame, transmitted LSB first.]]


==== How Data Bits Look in Binary ====
'''Data bits''' is the number of bits carrying actual payload within each Modbus RTU character frame. This is always '''8''' in Modbus RTU. 8 bits = 1 byte = values 0–255 per frame. For values larger than 255, Modbus RTU uses two consecutive bytes (one 16-bit register) or four bytes (two registers for 32-bit values).


{{Mbox
{{Mbox
|type=notice
|type=notice
|text=
|text=
'''Binary Signal Breakdown Data Bits Detail'''
'''Modbus RTU — Bit-Level Breakdown: Data Bit Weighting'''


Example byte: <code>0xB4</code> = decimal 180 = binary <code>10110100</code>
Example byte: <code>0xB4</code> = decimal 180 = binary <code>10110100</code>


The 8 data bits are transmitted '''LSB first''' (D0 is the least significant bit):
Modbus RTU transmits data bits LSB first (D0 first, D7 last):
 
<pre>
<pre>
Bit positionStart D0   D1   D2   D3   D4   D5   D6   D7   Stop
Bit:  [S] D0 D1 D2 D3 D4 D5 D6 D7 [P]
Binary value:     0    0   0   1   0   1   1   0    1    1
Value: 0    0   0   1   0   1   1   0   1   1
</pre>
</pre>
Reading the data bits from D0 to D7: 0, 0, 1, 0, 1, 1, 0, 1
Reversing to MSB order (D7 to D0): 1, 0, 1, 1, 0, 1, 0, 0 = <code>10110100</code> = <code>0xB4</code> ✓
'''What each data bit position represents:'''


{| class="wikitable"
{| class="wikitable"
|-
|-
! Bit !! Position !! Binary Weighting !! Notes
! Bit !! Wire Order !! Weight !! Bit Value in 0xB4 !! Contributes
|-
| D0 || 1st transmitted || 2⁰ = 1 || 0 || 0
|-
|-
| D0 || Least Significant Bit || 2⁰ = 1 || Transmitted first on the wire
| D1 || 2nd || = 2 || 0 || 0
|-
|-
| D1 || || = 2 ||
| D2 || 3rd || = 4 || 1 || 4
|-
|-
| D2 || || = 4 ||
| D3 || 4th || = 8 || 0 || 0
|-
|-
| D3 || || = 8 ||
| D4 || 5th || 2⁴ = 16 || 1 || 16
|-
|-
| D4 || || 2⁴ = 16 ||
| D5 || 6th || 2⁵ = 32 || 1 || 32
|-
|-
| D5 || || 2⁵ = 32 ||
| D6 || 7th || 2⁶ = 64 || 0 || 0
|-
|-
| D6 || || 2⁶ = 64 ||
| D7 || 8th (last) || 2⁷ = 128 || 1 || 128
|-
|-
| D7 || Most Significant Bit || 2⁷ = 128 || Transmitted last, before parity/stop
| '''Total''' || || — || — || '''4+16+32+128 = 180 = 0xB4 ✓'''
|}
|}
The total possible values representable by 8 data bits = 2⁸ = 256 (values 0–255).
}}
}}
----
=== Stop Bits ===
[[File:modbus_stopbits_diagram.png|thumb|400px|right|Diagram comparing 1 stop bit vs 2 stop bits in a serial frame. The stop bit(s) are the final element of a character frame, returning the line to the idle HIGH state.]]
'''Stop bits''' mark the end of a character frame. After the data bits (and optional parity bit) have been transmitted, the transmitter sends one or two stop bits by holding the line in the HIGH (idle) state for the duration of those bit periods.
Stop bits give the receiver time to process the incoming byte and prepare for the next start bit. They also provide a guaranteed idle state between characters so that the receiver can reliably detect the falling edge of the next start bit.
==== Stop Bit Configurations ====
{| class="wikitable"
|-
! Configuration !! Stop Bits !! When Used
|-
| 8N1 || 1 stop bit || No parity — most common Modbus RTU configuration
|-
| 8E1 || 1 stop bit || Even parity
|-
| 8O1 || 1 stop bit || Odd parity
|-
| 8N2 || 2 stop bits || No parity — provides additional recovery time; used on noisy lines
|}
The Modbus specification states: if no parity is used, 2 stop bits are recommended to maintain equivalent frame length. In practice however, 8N1 (1 stop bit, no parity) is by far the most common configuration encountered in BMS installations.
==== How Stop Bits Look in Binary ====


{{Mbox
{{Mbox
|type=notice
|type=notice
|text=
|text=
'''Binary Signal Breakdown Stop Bit Comparison'''
'''Modbus RTU Full Message Example: FC03 Slave Response with Register Decoding'''


Example byte: <code>0x55</code> = binary <code>01010101</code>
Slave 0x01 responds to the FC03 request. Register 40001 holds value 0x0190 (decimal 400), representing a supply air temperature of 40.0°C (scale factor ÷10).


'''8E1 Even Parity, 1 Stop Bit:'''
'''Response frame in hex 7 bytes total:'''
Number of 1s in data = 4 (even), so parity bit = 0
<pre>
Byte:  [  1  ] [  2  ] [  3  ] [  4 ] [  5  ] [  6  ] [  7  ]
Field: [Slave ] [ FC  ] [ByteCt] [DatHi] [DatLo] [CRCLo] [CRCHi]
Hex:  [ 0x01 ] [0x03 ] [ 0x02 ] [0x01 ] [0x90 ] [0xF8 ] [0x4B ]
</pre>


'''Critical bytes expanded in Modbus RTU binary (8N1, LSB first):'''
<pre>
<pre>
Bit:   Start D0   D1   D2   D3   D4   D5   D6   D7   Par Stop
Byte 3 — Byte Count 0x02 (00000010):
Value:   0    1   0    1    0    1   0    1    0    0    1
  [S] D0 D1 D2 D3 D4 D5 D6 D7  [P]
        ←————————————————— 11 bits total ——————————————————→
   0    1   0  0  0  0  0  0    1
  D1 = 2¹ = 2 → 2 data bytes follow (one 16-bit register) ✓
 
Byte 4 — Data High Byte 0x01 (00000001):
  [S]  D0  D1  D2  D3  D4  D5  D6  D7  [P]
   0    1   0  0  0  0  0  0  0    1
  D0 = 1 → High byte value = 1
 
Byte 5 — Data Low Byte 0x90 (10010000):
  [S]  D0  D1  D2  D3  D4  D5  D6  D7  [P]
   0    0   0  0  0  1  0  0  1   1
  D4 = 16, D7 = 128 → 16+128 = 144 = 0x90
</pre>
</pre>


'''8N2 No Parity, 2 Stop Bits:'''
'''Reconstructing the 16-bit register value (Big Endian high byte first):'''
<pre>
High byte:  0x01 × 256  =  256
Low byte:  0x90        =  144
                          ─────
Register value:            400  =  0x0190


<pre>
Applied scale factor ÷10400 ÷ 10  =  40.0°C
Bit:   Start D0  D1  D2  D3  D4  D5  D6  D7  Stop Stop
Value:    0    1    0    1    0    1    0    1    0    1    1
        ←————————————————— 11 bits total ——————————————————→
</pre>
</pre>


Both configurations result in 11 bits per character frame, maintaining the same total frame length and timing compatibility.
Modbus RTU always sends the high byte of a 16-bit register before the low byte. This is Big Endian byte order. Some devices deviate from this — always check the device register map.
 
'''Key rule:''' The line must be idle (HIGH) for the entire stop bit period before the next start bit (LOW) can be recognised. If the line goes low before the stop bit period ends, the receiver flags a '''framing error'''.
}}
}}


----
----


=== Flow Control ===
=== Stop Bits ===


[[File:modbus_flowcontrol_diagram.png|thumb|400px|right|Diagram showing hardware flow control signals RTS and CTS on a serial connection. In RS-485 half-duplex operation, RTS is used to switch the driver between transmit and receive mode.]]
[[File:modbus_stopbits_diagram.png|thumb|400px|right|1 stop bit vs 2 stop bits in a Modbus RTU character frame.]]


'''Flow control''' is a mechanism that manages the rate of data transmission between devices, preventing a fast sender from overwhelming a slow receiver. In Modbus serial communication, flow control is relevant primarily in RS-232 connections and in RS-485 half-duplex bus switching.
'''Stop bits''' return the RS-485 line to the idle HIGH state after each Modbus RTU character frame. The receiver requires this idle period to correctly detect the falling edge of the next start bit.


==== Flow Control Types ====
==== Stop Bit Configurations ====


{| class="wikitable"
{| class="wikitable"
|-
|-
! Type !! Method !! Description
! Config !! Stop Bits !! Parity !! Total Bits per Frame !! Notes
|-
|-
| None || || No flow control. The most common setting for Modbus RTU on RS-485.
| 8N1 || 1 || None || 10 || Most common Modbus RTU configuration in BMS
|-
|-
| Hardware (RTS/CTS) || Physical signal lines || The sender asserts RTS (Request To Send); receiver replies with CTS (Clear To Send). Data flows only when CTS is active.
| 8E1 || 1 || Even || 11 || Modbus spec default — even parity + 1 stop
|-
|-
| Software (XON/XOFF) || In-band control bytes || Special ASCII characters (0x11 = XON, 0x13 = XOFF) are inserted into the data stream to pause and resume transmission. Not compatible with binary protocols like Modbus RTU.
| 8O1 || 1 || Odd || 11 || Odd parity + 1 stop
|-
|-
| RTS toggle (RS-485) || RTS line used for direction control || In half-duplex RS-485, the RTS line is used to switch the transceiver between transmit mode and receive mode. This is a driver enable signal, not true flow control.
| 8N2 || 2 || None || 11 || No parity, 2 stops — maintains 11-bit frame on noisy lines
|}
|}
==== RS-485 and Half-Duplex Direction Control ====
RS-485 is inherently a half-duplex medium — devices cannot transmit and receive simultaneously. To prevent bus contention, the RS-485 driver must be enabled only when transmitting and returned to receive mode immediately after.
In many Modbus RTU implementations, the RTS signal from the UART is wired to the DE/RE (Driver Enable / Receiver Enable) pins of the RS-485 transceiver chip. This is often called '''RTS flow control''' in software configuration, even though it is technically a bus direction control mechanism rather than data flow control.


{{Mbox
{{Mbox
|type=notice
|type=notice
|text=
|text=
'''Binary Signal Breakdown RS-485 RTS/Direction Control'''
'''Modbus RTU Bit-Level Breakdown: Stop Bit Comparison'''


Sequence when a Modbus master sends a request:
Example byte: <code>0x55</code> = binary <code>01010101</code> — four 1-bits (even count)


'''8N1 — No Parity, 1 Stop Bit (10 bits total):'''
<pre>
<pre>
Time →
Bit:  [S]  D0  D1  D2  D3  D4  D5  D6  D7  [P]
Value:  0    1  0  1  0  1  0  1  0    1
        ←————————————— 10 bits ——————————————→
</pre>


RTS:    ___________________
'''8E1 — Even Parity, 1 Stop Bit (11 bits total):'''
      |                  |
Four 1-bits in data = even count → parity = 0
_______|                  |_______  (RTS HIGH = transmit mode enabled)
<pre>
Bit:  [S]  D0  D1  D2  D3  D4  D5  D6  D7  [Par] [P]
Value: 0   1  0  1  0  1  0  1  0    0    1
        ←—————————————— 11 bits ———————————————→
</pre>


TX:   | [Modbus Frame Data............] |
'''8N2 — No Parity, 2 Stop Bits (11 bits total):'''
      ^                                  ^
<pre>
    RTS asserted                      RTS released
Bit:   [S]  D0  D1  D2  D3  D4  D5  D6  D7 [P1] [P2]
    (driver enabled)              (driver disabled, line released)
Value: 0    1  0  1  0  1  0  1  0    1   1
 
        ←—————————————— 11 bits ———————————————→
RX:    _______________________________________
                                              |
                                              | ← Slave response begins here
</pre>
</pre>


'''What each signal does:'''
If the line goes LOW before the stop bit period ends, the receiver flags a '''framing error''' and discards the byte. The resulting CRC mismatch causes the master to timeout with no response.
* '''RTS asserted HIGH:''' Enables the RS-485 driver. The master ''owns'' the bus and transmits its request frame.
* '''TX line:''' Carries the actual Modbus RTU binary data (address, function code, data, CRC).
* '''RTS released LOW:''' Disables the RS-485 driver. The master releases the bus and switches to receive mode.
* '''RX line:''' The slave's response arrives. The master reads it with its receiver enabled.
 
Timing of RTS is critical — releasing too early can truncate the last stop bit of the frame. Releasing too late blocks the slave response. Most modern USB-RS485 adapters handle this automatically.
}}
}}


In most BMS applications using RS-485, flow control is set to '''None''' in the software configuration, with the hardware adapter managing direction control automatically. Only when using older RS-232 point-to-point wiring is explicit hardware flow control (RTS/CTS) typically required.
{{Mbox
|type=notice
|text=
'''Modbus RTU — Full Message Example: FC06 Write Single Register'''


----
Master writes value 0x0064 (decimal 100 = setpoint 10.0°C at scale ÷10) to register 40002 (address 0x0001) on slave 0x01.


== Data Model ==
'''Request frame in hex — 8 bytes:'''
<pre>
Byte:  [  1  ] [  2  ] [  3  ] [  4  ] [  5  ] [  6  ] [  7  ] [  8  ]
Field: [Slave ] [ FC  ] [RegHi] [RegLo] [ValHi] [ValLo] [CRCLo] [CRCHi]
Hex:  [ 0x01 ] [0x06 ] [0x00 ] [0x01 ] [0x00 ] [0x64 ] [0x49 ] [0xA4 ]
</pre>


Modbus organises data into four distinct object types, each with a defined address space. The master accesses these objects using function codes.
'''Full frame in Modbus RTU binary, 8N1 format:'''
<pre>
          [S] D0  D1  D2  D3  D4  D5  D6  D7 [P]
Byte 1 0x01: 0  1  0  0  0  0  0  0  0  1  ← Slave address
Byte 2 0x06: 0  0  1  1  0  0  0  0  0  1  ← Write Single Register
Byte 3 0x00: 0  0  0  0  0  0  0  0  0  1  ← Register address high
Byte 4 0x01: 0  1  0  0  0  0  0  0  0  1  ← Register address low (reg 40002)
Byte 5 0x00: 0  0  0  0  0  0  0  0  0  1  ← Value high byte
Byte 6 0x64: 0  0  0  1  0  0  1  1  0  1  ← Value low byte (100 decimal)
Byte 7 0x49: 0  1  0  0  1  0  0  1  0  1  ← CRC low
Byte 8 0xA4: 0  0  0  1  0  0  1  0  1  1  ← CRC high
</pre>


=== Coils ===
On a successful FC06 write the slave echoes the '''entire 8-byte request frame back unchanged''' as its response. If the stop bit on any byte is corrupted, that byte is discarded as a framing error, the CRC check fails, and the master receives no response.


Coils are single-bit read/write values. They represent binary output states such as a relay, a digital output, or an on/off command. The address range is 1–9999 (using 1-based Modbus convention) or 0x0000–0xFFFF (using the 0-based PDU addressing).
Transmission time at 9600 baud, 8N1: 8 bytes × 10 bits × 104µs = '''8.32ms'''
 
}}
Examples in BMS: Fan on/off command, valve open/close output, alarm reset.
 
=== Discrete Inputs ===
 
Discrete inputs are single-bit read-only values. They represent binary input states such as a digital sensor, a status contact, or a switch position. Address range: 10001–19999.
 
Examples in BMS: Door open sensor, high temperature alarm contact, filter dirty status.
 
=== Holding Registers ===
 
Holding registers are 16-bit read/write registers. They are the most commonly used data type in Modbus and can hold values such as setpoints, configurations, and output values. Address range: 40001–49999.
 
A single holding register holds values from 0 to 65535 (unsigned) or -32768 to 32767 (signed). For larger values (e.g. floating point temperatures or energy readings), two consecutive registers are used together to form a 32-bit value.
 
Examples in BMS: Temperature setpoint, VFD speed reference, valve position command.
 
=== Input Registers ===
 
Input registers are 16-bit read-only registers. They represent measured or computed values provided by the slave device. Address range: 30001–39999.
 
Examples in BMS: Supply air temperature, room CO₂ concentration, energy meter active power reading.


----
----


== Function Codes ==
=== Flow Control ===


Function codes tell the slave device what action to perform. They are carried in the second byte of every Modbus frame.
[[File:modbus_flowcontrol_diagram.png|thumb|400px|right|RS-485 RTS direction switching during a Modbus RTU request/response cycle.]]


=== Read Functions ===
'''Flow control''' in Modbus RTU on RS-485 is almost always set to '''None''' in software. The physical RS-485 half-duplex bus requires direction switching between transmit and receive, but this is handled by the hardware driver enable (DE) pin on the RS-485 transceiver, not by a software flow control protocol.


{| class="wikitable"
==== Flow Control Types ====
|-
! Function Code !! Hex !! Name !! Reads
|-
| 01 || 0x01 || Read Coils || Coils (1-bit, read/write)
|-
| 02 || 0x02 || Read Discrete Inputs || Discrete Inputs (1-bit, read-only)
|-
| 03 || 0x03 || Read Holding Registers || Holding Registers (16-bit, read/write)
|-
| 04 || 0x04 || Read Input Registers || Input Registers (16-bit, read-only)
|}
 
=== Write Functions ===


{| class="wikitable"
{| class="wikitable"
|-
|-
! Function Code !! Hex !! Name !! Writes
! Type !! Method !! Compatible with Modbus RTU
|-
|-
| 05 || 0x05 || Write Single Coil || Single coil ON (0xFF00) or OFF (0x0000)
| None || || ✓ Standard for RS-485
|-
|-
| 06 || 0x06 || Write Single Register || Single holding register
| Hardware RTS/CTS || Physical signal lines || Only on RS-232 point-to-point
|-
|-
| 15 || 0x0F || Write Multiple Coils || Multiple coils
| Software XON/XOFF || In-band bytes 0x11 / 0x13 || ✗ Incompatible — binary protocol
|-
|-
| 16 || 0x10 || Write Multiple Registers || Multiple holding registers
| RTS as DE toggle || RTS drives RS-485 DE pin || ✓ Used by USB-RS485 adapters
|}
|}


=== Diagnostic Functions ===
{{Mbox
|type=notice
|text=
'''Modbus RTU — Bit-Level Breakdown: RS-485 Half-Duplex Direction Control'''


{| class="wikitable"
In Modbus RTU on RS-485, the driver enable (DE) signal controls which device is transmitting. Only one device may drive the bus at a time.
|-
! Function Code !! Hex !! Name !! Purpose
|-
| 07 || 0x07 || Read Exception Status || Returns device error status byte
|-
| 08 || 0x08 || Diagnostics || Various sub-functions for testing comms
|-
| 11 || 0x0B || Get Comm Event Counter || Returns count of successful messages
|-
| 17 || 0x11 || Report Server ID || Returns device type and status
|}


----
<pre>
              MASTER TRANSMITTING              MASTER LISTENING
DE (Master):  ________________________
            |                        |________________________________
            ^ DE asserted HIGH        ^ DE released LOW


== Error Handling ==
TX (Master):  [ Start bits of frame...data bytes...CRC ]
            |←————————————————————————————————————————→|


=== CRC and LRC Checking ===
                                      ↑
                              3.5 character-time
                              silent gap here
                              marks end of frame


'''CRC-16 (Cyclic Redundancy Check)''' is used in Modbus RTU. It is a 16-bit error detection value calculated from all bytes in the message (excluding the CRC bytes themselves). The master calculates the CRC before sending, and the slave recalculates it upon receipt. If the values do not match, the message is discarded silently — no response is sent, and the master will timeout.
DE (Slave):                                        ______________________
                                                  |
                                                  ^ Slave asserts its DE HIGH


The CRC polynomial used is: <code>0xA001</code> (reflected form of CRC-16-IBM).
RX (Master):                                     [ Slave response frame ]
</pre>


'''LRC (Longitudinal Redundancy Check)''' is used in Modbus ASCII. It is calculated as the two's complement of the sum of all byte values in the message. It is simpler but less robust than CRC-16.
* DE HIGH = RS-485 driver active, device is transmitting
* DE LOW = RS-485 driver disabled, device is listening
* The 3.5 character-time silent gap at 9600 baud = ~3.6ms — this is what Modbus RTU uses to detect frame boundaries, not a delimiter byte
* If DE is not released fast enough, the master's driver will collide with the slave's response on the bus
}}


=== Exception Codes ===
{{Mbox
|type=notice
|text=
'''Modbus RTU — Full Message Example: FC03 Read 2 Registers — Complete Request/Response Cycle'''


When a slave receives a valid request but cannot fulfil it, it returns an exception response. The function code in the response has its most significant bit set to 1 (i.e. the original function code + 0x80), followed by an exception code byte.
Master reads 2 holding registers from slave 0x02, starting at address 0x0010 (registers 40017 and 40018). These could represent, for example, active power high and low bytes from an energy meter.


{| class="wikitable"
'''Master request frame — 8 bytes:'''
|-
<pre>
! Exception Code !! Hex !! Name !! Meaning
Byte:  [  1  ] [  2  ] [  3  ] [  4  ] [  5  ] [  6  ] [  7  ] [  8  ]
|-
Field: [Slave ] [ FC  ] [RegHi] [RegLo] [QtyHi] [QtyLo] [CRCLo] [CRCHi]
| 01 || 0x01 || Illegal Function || The function code is not supported by this device
Hex:  [ 0x02 ] [0x03 ] [0x00 ] [0x10 ] [0x00 ] [0x02 ] [0xC4 ] [0x38 ]
|-
</pre>
| 02 || 0x02 || Illegal Data Address || The register address does not exist on this device
|-
| 03 || 0x03 || Illegal Data Value || The value in the data field is not permitted
|-
| 04 || 0x04 || Slave Device Failure || An unrecoverable error occurred in the slave
|-
| 05 || 0x05 || Acknowledge || Slave accepted the request but needs more time (long operation)
|-
| 06 || 0x06 || Slave Device Busy || Slave is busy processing a previous request
|-
| 08 || 0x08 || Memory Parity Error || Slave detected a parity error reading extended memory
|-
| 10 || 0x0A || Gateway Path Unavailable || Gateway could not allocate a path (Modbus TCP)
|-
| 11 || 0x0B || Gateway Target No Response || Target device on gateway failed to respond
|}


----
'''Slave response frame — 9 bytes:'''
<pre>
Byte:  [  1  ] [  2  ] [  3  ] [  4  ] [  5  ] [  6  ] [  7  ] [  8  ] [  9  ]
Field: [Slave ] [ FC  ] [ByteCt] [R1Hi ] [R1Lo ] [R2Hi ] [R2Lo ] [CRCLo] [CRCHi]
Hex:  [ 0x02 ] [0x03 ] [ 0x04 ] [0x00 ] [0xC8 ] [0x01 ] [0x2C ] [0x77 ] [0xDF ]
</pre>


== Modbus in BMS Applications ==
'''Both frames in Modbus RTU binary, 8N1 (LSB first):'''
<pre>
REQUEST:
          [S] D0  D1  D2  D3  D4  D5  D6  D7 [P]
0x02 Addr:  0  0  1  0  0  0  0  0  0  1
0x03 FC:    0  1  1  0  0  0  0  0  0  1
0x00 RegHi: 0  0  0  0  0  0  0  0  0  1
0x10 RegLo: 0  0  0  0  0  1  0  0  0  1
0x00 QtyHi: 0  0  0  0  0  0  0  0  0  1
0x02 QtyLo: 0  0  1  0  0  0  0  0  0  1
0xC4 CRCLo: 0  0  0  1  0  0  0  1  1  1
0x38 CRCHi: 0  0  0  0  1  1  1  0  0  1


=== Typical Devices ===
[— 3.5 char silent gap (~3.6ms) — bus released by master — slave begins responding —]


Modbus is one of the most commonly encountered protocols when integrating third-party field devices into a BMS. The following device types frequently use Modbus RTU as their primary or secondary communication interface:
RESPONSE:
          [S] D0  D1  D2  D3  D4  D5  D6  D7 [P]
0x02 Addr:  0  0  1  0  0  0  0  0  0  1
0x03 FC:    0  1  1  0  0  0  0  0  0  1
0x04 BytCt: 0  0  0  1  0  0  0  0  0  1
0x00 R1Hi:  0  0  0  0  0  0  0  0  0  1
0xC8 R1Lo:  0  0  0  0  1  0  0  1  1  1
0x01 R2Hi:  0  1  0  0  0  0  0  0  0  1
0x2C R2Lo:  0  0  0  1  1  0  1  0  0  1
0x77 CRCLo: 0  1  1  1  0  1  1  1  0  1
0xDF CRCHi: 0  1  1  1  1  1  0  1  1  1
</pre>


* '''Energy meters''' — active power (kW), reactive power (kVAR), energy (kWh), power factor, voltage and current readings via input registers
'''Decoding the two register values from the response (Big Endian):'''
* '''Variable Frequency Drives (VFDs)''' — speed reference (Hz or %), run/stop command, fault status, output frequency and current feedback
<pre>
* '''Chillers and heat pumps''' — leaving water temperature, setpoint, mode command, alarm status
Register 1 (40017):
* '''Air Handling Units (AHUs)''' — supply/return air temperature, damper position, fan speed feedback
  High byte 0x00 = 0 × 256 =  0
* '''CO₂ and air quality sensors''' — CO₂ concentration (ppm), temperature, humidity
  Low  byte 0xC8 = 200
* '''Heat meters''' — flow rate, inlet/outlet temperatures, cumulative energy
  Value = 200
* '''UPS systems''' — battery voltage, charge level, load percentage, alarm status
* '''Generator controllers''' — run status, fuel level, output voltage, frequency


=== Wiring and Topology ===
Register 2 (40018):
  High byte 0x01 = 1 × 256 = 256
  Low  byte 0x2C = 44
  Value = 256 + 44 = 300
</pre>


Modbus RTU on RS-485 uses a '''daisy-chain bus topology'''. Devices are connected in series from the first to the last node. The two conductors of the RS-485 pair are labelled A (−) and B (+), though manufacturers often use inconsistent naming (some label them D− / D+, or even reverse the A/B convention).
If these were active power registers with a scale factor of ÷10:
Register 1 = 20.0 kW, Register 2 = 30.0 kW


Key wiring rules:
'''Transmission times at 9600 baud, 8N1:'''
* '''Termination resistors''' of 120Ω must be fitted at both physical ends of the RS-485 bus to prevent signal reflections. Only the two end devices are terminated — never intermediate devices.
<pre>
* '''Bias resistors''' (typically 560Ω to 1kΩ) are recommended to hold the bus at a defined state when no device is transmitting, preventing false start bit detection.
Request:  8 bytes × 10 bits × 104µs =  8.32ms
* '''Maximum cable length''' depends on baud rate (see Baud Rate section), but 1200 metres at 9600 baud is a typical practical limit for standard twisted pair cable.
Silent gap:                          ~  3.60ms
* The maximum number of addressable slave devices is 247, though the RS-485 electrical standard supports up to 32 unit loads on a single segment without repeaters (256 with 1/8 unit load devices).
Response:  9 bytes × 10 bits × 104µs = 9.36ms
* Shielded twisted pair (STP) cable is strongly recommended in BMS environments due to electrical noise from motors, VFDs, and other inductive loads.
                                        ───────
 
Total cycle time:                     ~21.28ms
=== Common Issues and Troubleshooting ===
</pre>
 
}}
The following are the most frequently encountered Modbus communication problems in BMS installations:
 
'''No response from slave / timeout'''
* Verify slave address matches the configured address on the physical device
* Check baud rate, parity, data bits, and stop bits match on master and slave
* Check A/B wiring polarity — reversed polarity is a very common installation error
* Verify termination resistors are fitted at the correct endpoints only
 
'''CRC errors / corrupted data'''
* Inspect cable routing — avoid running alongside power cables or VFD output cables
* Check for missing or incorrectly placed termination resistors
* Reduce baud rate to test if the issue is speed-related
* Check for ground loops (ensure shield is grounded at one end only)
 
'''Intermittent communication'''
* Often caused by missing bias resistors — the bus floats to an indeterminate state when idle
* Check for multiple termination resistors incorrectly fitted to intermediate devices
* Investigate RTS/driver enable timing issues if using a custom RS-485 adapter
 
'''Incorrect register values'''
* Confirm register addressing convention — some devices use 0-based addressing, others 1-based
* Check byte order (endianness) for 32-bit floating point values — some devices use Big Endian, others Little Endian or mixed (''byte-swapped'') formats
* Verify scaling factors — a register reading of 1234 may represent 12.34 depending on the device's register map

Revision as of 23:22, 24 February 2026

Baud Rate

File:modbus baudrate diagram.png
Diagram showing how baud rate affects the time width of each bit on the signal line.

Baud rate defines the number of signal changes per second on the communication line. In Modbus RTU, one symbol = one binary bit, so baud rate = bits per second.

Common Baud Rate Values

Baud Rate Bits per Second Typical Use Case
1200 1,200 bps Legacy devices, long cable runs
2400 2,400 bps Older meters and sensors
4800 4,800 bps Moderate speed legacy devices
9600 9,600 bps Most common default
19200 19,200 bps Standard BMS installations
38400 38,400 bps Higher performance systems
57600 57,600 bps Fast networks, shorter cable runs
115200 115,200 bps Maximum practical RS-485 speed

How Baud Rate Affects the Signal

Each bit occupies a fixed time window: Bit Period = 1 / Baud Rate

At 9600 baud each bit lasts 104 microseconds. At 115200 baud each bit lasts 8.7 microseconds.


Modbus RTU — Bit-Level Breakdown: Single Byte at 9600 Baud, 8N1

The byte 0x41 (decimal 65) on the RS-485 wire at 9600 baud: 

Bit:     Start  D0   D1   D2   D3   D4   D5   D6   D7   Stop
Value:     0    1    0    0    0    0    0    1    0     1
µs each: 104µs per bit window
  • Start bit (1 bit, always 0): Pulls line LOW — signals receiver to begin reading
  • D0–D7 (8 bits): Binary data, transmitted LSB first. 0x41 = 01000001 → wire order: 1,0,0,0,0,0,1,0
  • Stop bit (1 bit, always 1): Returns line HIGH — marks end of byte

Total frame = 10 bits × 104µs = 1.04ms per byte


Modbus RTU — Full Message Example: FC03 Read Holding Register

Master reads 1 holding register (address 0x0000 = register 40001) from slave address 0x01.

Frame in hex — 8 bytes total: 

Byte:  [  1  ] [  2  ] [  3  ] [  4  ] [  5  ] [  6  ] [  7  ] [  8  ]
Field: [Slave ] [ FC  ] [RegHi] [RegLo] [QtyHi] [QtyLo] [CRCLo] [CRCHi]
Hex:   [ 0x01 ] [0x03 ] [0x00 ] [0x00 ] [0x00 ] [0x01 ] [0x84 ] [0x0A ]

Each byte in Modbus RTU binary (8N1, LSB first, 9600 baud): 

Byte 1 — Slave Address 0x01 (00000001):
  [S] D0  D1  D2  D3  D4  D5  D6  D7 [P]
   0   1   0   0   0   0   0   0   0   1

Byte 2 — Function Code 0x03 (00000011):
  [S] D0  D1  D2  D3  D4  D5  D6  D7 [P]
   0   1   1   0   0   0   0   0   0   1

Byte 3 — Register Address High 0x00 (00000000):
  [S] D0  D1  D2  D3  D4  D5  D6  D7 [P]
   0   0   0   0   0   0   0   0   0   1

Byte 4 — Register Address Low 0x00 (00000000):
  [S] D0  D1  D2  D3  D4  D5  D6  D7 [P]
   0   0   0   0   0   0   0   0   0   1

Byte 5 — Quantity High 0x00 (00000000):
  [S] D0  D1  D2  D3  D4  D5  D6  D7 [P]
   0   0   0   0   0   0   0   0   0   1

Byte 6 — Quantity Low 0x01 (00000001):
  [S] D0  D1  D2  D3  D4  D5  D6  D7 [P]
   0   1   0   0   0   0   0   0   0   1

Byte 7 — CRC Low 0x84 (10000100):
  [S] D0  D1  D2  D3  D4  D5  D6  D7 [P]
   0   0   0   1   0   0   0   0   1   1

Byte 8 — CRC High 0x0A (00001010):
  [S] D0  D1  D2  D3  D4  D5  D6  D7 [P]
   0   0   1   0   1   0   0   0   0   1

[S] = Start bit (always 0)   [P] = Stop bit (always 1)

What each field does: {

Effect on Cable Length

  • 9600 baud — up to ~1200m on good RS-485 twisted pair
  • 19200 baud — up to ~600m
  • 115200 baud — up to ~100m

Parity

File:modbus parity diagram.png
Parity bit position within a Modbus RTU serial frame.

Parity adds a single calculated bit after the 8 data bits in each Modbus RTU character frame, providing basic single-bit error detection at the byte level. CRC-16 handles error detection at the full message level.

Parity Modes

Mode Code Description
Even E Parity bit makes total count of 1s in the frame even
Odd O Parity bit makes total count of 1s in the frame odd
None N No parity bit. 2 stop bits recommended per Modbus spec to maintain frame length.
Mark M Parity bit always 1. Rarely used.
Space S Parity bit always 0. Rarely used.

The Modbus RTU specification recommends Even parity as default. In practice 8N1 (no parity, 1 stop bit) is the most common configuration in BMS installations.


Modbus RTU — Bit-Level Breakdown: Parity Bit Calculation

Example byte: 0x31 = binary 00110001 Count of 1-bits in data = 3

Even Parity (8E1) — 3 is odd, so parity bit = 1 to reach even total (3+1=4): 

Bit:   [S]  D0  D1  D2  D3  D4  D5  D6  D7  [Par] [P]
Value:  0    1   0   0   0   1   1   0   0    1     1

Odd Parity (8O1) — 3 is already odd, so parity bit = 0 to keep total odd (3+0=3): 

Bit:   [S]  D0  D1  D2  D3  D4  D5  D6  D7  [Par] [P]
Value:  0    1   0   0   0   1   1   0   0    0     1

No Parity (8N1) — no parity bit, one stop bit only: 

Bit:   [S]  D0  D1  D2  D3  D4  D5  D6  D7  [P]
Value:  0    1   0   0   0   1   1   0   0    1

No Parity (8N2) — no parity bit, two stop bits to maintain 11-bit frame: 

Bit:   [S]  D0  D1  D2  D3  D4  D5  D6  D7  [P1] [P2]
Value:  0    1   0   0   0   1   1   0   0    1    1

[S] = Start bit [Par] = Parity bit [P] = Stop bit


Modbus RTU — Full Message Example: FC03 Request with Even Parity (8E1)

Same request as the Baud Rate example — slave 0x01, FC03, register 0x0000, quantity 0x0001, CRC 0x840A — but now shown with Even parity applied to every byte.

Parity bit rule: count the 1s in D0–D7. If count is odd → parity = 1. If count is even → parity = 0. 

Byte 1 — Slave 0x01 (00000001) — one 1-bit → parity = 1:
  [S]  D0  D1  D2  D3  D4  D5  D6  D7  [Par] [P]
   0    1   0   0   0   0   0   0   0    1     1

Byte 2 — FC 0x03 (00000011) — two 1-bits → parity = 0:
  [S]  D0  D1  D2  D3  D4  D5  D6  D7  [Par] [P]
   0    1   1   0   0   0   0   0   0    0     1

Byte 3 — RegHi 0x00 (00000000) — zero 1-bits → parity = 0:
  [S]  D0  D1  D2  D3  D4  D5  D6  D7  [Par] [P]
   0    0   0   0   0   0   0   0   0    0     1

Byte 4 — RegLo 0x00 (00000000) — zero 1-bits → parity = 0:
  [S]  D0  D1  D2  D3  D4  D5  D6  D7  [Par] [P]
   0    0   0   0   0   0   0   0   0    0     1

Byte 5 — QtyHi 0x00 (00000000) — zero 1-bits → parity = 0:
  [S]  D0  D1  D2  D3  D4  D5  D6  D7  [Par] [P]
   0    0   0   0   0   0   0   0   0    0     1

Byte 6 — QtyLo 0x01 (00000001) — one 1-bit → parity = 1:
  [S]  D0  D1  D2  D3  D4  D5  D6  D7  [Par] [P]
   0    1   0   0   0   0   0   0   0    1     1

Byte 7 — CRCLo 0x84 (10000100) — two 1-bits → parity = 0:
  [S]  D0  D1  D2  D3  D4  D5  D6  D7  [Par] [P]
   0    0   0   1   0   0   0   0   1    0     1

Byte 8 — CRCHi 0x0A (00001010) — two 1-bits → parity = 0:
  [S]  D0  D1  D2  D3  D4  D5  D6  D7  [Par] [P]
   0    0   1   0   1   0   0   0   0    0     1

8E1 framing = 11 bits per byte (1 start + 8 data + 1 parity + 1 stop) 8 bytes × 11 bits = 88 bits → at 9600 baud = 9.17ms to transmit the full request

The parity bit is recalculated independently for each byte — it is not a fixed value across the frame.

Data Bits

File:modbus databits diagram.png
Data bit positions D0–D7 within a Modbus RTU character frame, transmitted LSB first.

Data bits is the number of bits carrying actual payload within each Modbus RTU character frame. This is always 8 in Modbus RTU. 8 bits = 1 byte = values 0–255 per frame. For values larger than 255, Modbus RTU uses two consecutive bytes (one 16-bit register) or four bytes (two registers for 32-bit values).


Modbus RTU — Bit-Level Breakdown: Data Bit Weighting

Example byte: 0xB4 = decimal 180 = binary 10110100

Modbus RTU transmits data bits LSB first (D0 first, D7 last): 

Bit:   [S]  D0  D1  D2  D3  D4  D5  D6  D7  [P]
Value:  0    0   0   1   0   1   1   0   1    1

{


Modbus RTU — Full Message Example: FC03 Slave Response with Register Decoding

Slave 0x01 responds to the FC03 request. Register 40001 holds value 0x0190 (decimal 400), representing a supply air temperature of 40.0°C (scale factor ÷10).

Response frame in hex — 7 bytes total: 

Byte:  [  1  ] [  2  ] [  3  ] [  4  ] [  5  ] [  6  ] [  7  ]
Field: [Slave ] [ FC  ] [ByteCt] [DatHi] [DatLo] [CRCLo] [CRCHi]
Hex:   [ 0x01 ] [0x03 ] [ 0x02 ] [0x01 ] [0x90 ] [0xF8 ] [0x4B ]

Critical bytes expanded in Modbus RTU binary (8N1, LSB first): 

Byte 3 — Byte Count 0x02 (00000010):
  [S]  D0  D1  D2  D3  D4  D5  D6  D7  [P]
   0    0   1   0   0   0   0   0   0    1
  D1 = 2¹ = 2 → 2 data bytes follow (one 16-bit register) ✓

Byte 4 — Data High Byte 0x01 (00000001):
  [S]  D0  D1  D2  D3  D4  D5  D6  D7  [P]
   0    1   0   0   0   0   0   0   0    1
  D0 = 1 → High byte value = 1

Byte 5 — Data Low Byte 0x90 (10010000):
  [S]  D0  D1  D2  D3  D4  D5  D6  D7  [P]
   0    0   0   0   0   1   0   0   1    1
  D4 = 16, D7 = 128 → 16+128 = 144 = 0x90

Reconstructing the 16-bit register value (Big Endian — high byte first): 

High byte:  0x01 × 256  =  256
Low byte:   0x90        =  144
                          ─────
Register value:            400  =  0x0190

Applied scale factor ÷10:  400 ÷ 10  =  40.0°C

Modbus RTU always sends the high byte of a 16-bit register before the low byte. This is Big Endian byte order. Some devices deviate from this — always check the device register map.

Stop Bits

File:modbus stopbits diagram.png
1 stop bit vs 2 stop bits in a Modbus RTU character frame.

Stop bits return the RS-485 line to the idle HIGH state after each Modbus RTU character frame. The receiver requires this idle period to correctly detect the falling edge of the next start bit.

Stop Bit Configurations

Config Stop Bits Parity Total Bits per Frame Notes
8N1 1 None 10 Most common Modbus RTU configuration in BMS
8E1 1 Even 11 Modbus spec default — even parity + 1 stop
8O1 1 Odd 11 Odd parity + 1 stop
8N2 2 None 11 No parity, 2 stops — maintains 11-bit frame on noisy lines


Modbus RTU — Bit-Level Breakdown: Stop Bit Comparison

Example byte: 0x55 = binary 01010101 — four 1-bits (even count)

8N1 — No Parity, 1 Stop Bit (10 bits total): 

Bit:   [S]  D0  D1  D2  D3  D4  D5  D6  D7  [P]
Value:  0    1   0   1   0   1   0   1   0    1
        ←————————————— 10 bits ——————————————→

8E1 — Even Parity, 1 Stop Bit (11 bits total): Four 1-bits in data = even count → parity = 0 

Bit:   [S]  D0  D1  D2  D3  D4  D5  D6  D7  [Par] [P]
Value:  0    1   0   1   0   1   0   1   0    0     1
        ←—————————————— 11 bits ———————————————→

8N2 — No Parity, 2 Stop Bits (11 bits total): 

Bit:   [S]  D0  D1  D2  D3  D4  D5  D6  D7  [P1] [P2]
Value:  0    1   0   1   0   1   0   1   0    1    1
        ←—————————————— 11 bits ———————————————→

If the line goes LOW before the stop bit period ends, the receiver flags a framing error and discards the byte. The resulting CRC mismatch causes the master to timeout with no response.


Modbus RTU — Full Message Example: FC06 Write Single Register

Master writes value 0x0064 (decimal 100 = setpoint 10.0°C at scale ÷10) to register 40002 (address 0x0001) on slave 0x01.

Request frame in hex — 8 bytes: 

Byte:  [  1  ] [  2  ] [  3  ] [  4  ] [  5  ] [  6  ] [  7  ] [  8  ]
Field: [Slave ] [ FC  ] [RegHi] [RegLo] [ValHi] [ValLo] [CRCLo] [CRCHi]
Hex:   [ 0x01 ] [0x06 ] [0x00 ] [0x01 ] [0x00 ] [0x64 ] [0x49 ] [0xA4 ]

Full frame in Modbus RTU binary, 8N1 format: 

           [S] D0  D1  D2  D3  D4  D5  D6  D7 [P]
Byte 1 0x01: 0  1   0   0   0   0   0   0   0   1   ← Slave address
Byte 2 0x06: 0  0   1   1   0   0   0   0   0   1   ← Write Single Register
Byte 3 0x00: 0  0   0   0   0   0   0   0   0   1   ← Register address high
Byte 4 0x01: 0  1   0   0   0   0   0   0   0   1   ← Register address low (reg 40002)
Byte 5 0x00: 0  0   0   0   0   0   0   0   0   1   ← Value high byte
Byte 6 0x64: 0  0   0   1   0   0   1   1   0   1   ← Value low byte (100 decimal)
Byte 7 0x49: 0  1   0   0   1   0   0   1   0   1   ← CRC low
Byte 8 0xA4: 0  0   0   1   0   0   1   0   1   1   ← CRC high

On a successful FC06 write the slave echoes the entire 8-byte request frame back unchanged as its response. If the stop bit on any byte is corrupted, that byte is discarded as a framing error, the CRC check fails, and the master receives no response.

Transmission time at 9600 baud, 8N1: 8 bytes × 10 bits × 104µs = 8.32ms

Flow Control

File:modbus flowcontrol diagram.png
RS-485 RTS direction switching during a Modbus RTU request/response cycle.

Flow control in Modbus RTU on RS-485 is almost always set to None in software. The physical RS-485 half-duplex bus requires direction switching between transmit and receive, but this is handled by the hardware driver enable (DE) pin on the RS-485 transceiver, not by a software flow control protocol.

Flow Control Types

Type Method Compatible with Modbus RTU
None ✓ Standard for RS-485
Hardware RTS/CTS Physical signal lines Only on RS-232 point-to-point
Software XON/XOFF In-band bytes 0x11 / 0x13 ✗ Incompatible — binary protocol
RTS as DE toggle RTS drives RS-485 DE pin ✓ Used by USB-RS485 adapters


Modbus RTU — Bit-Level Breakdown: RS-485 Half-Duplex Direction Control

In Modbus RTU on RS-485, the driver enable (DE) signal controls which device is transmitting. Only one device may drive the bus at a time. 

              MASTER TRANSMITTING              MASTER LISTENING
DE (Master):  ________________________
             |                        |________________________________
             ^ DE asserted HIGH        ^ DE released LOW

TX (Master):  [ Start bits of frame...data bytes...CRC ]
             |←————————————————————————————————————————→|

                                       ↑
                               3.5 character-time
                               silent gap here
                               marks end of frame

DE (Slave):                                        ______________________
                                                  |
                                                  ^ Slave asserts its DE HIGH

RX (Master):                                      [ Slave response frame ]
  • DE HIGH = RS-485 driver active, device is transmitting
  • DE LOW = RS-485 driver disabled, device is listening
  • The 3.5 character-time silent gap at 9600 baud = ~3.6ms — this is what Modbus RTU uses to detect frame boundaries, not a delimiter byte
  • If DE is not released fast enough, the master's driver will collide with the slave's response on the bus


Modbus RTU — Full Message Example: FC03 Read 2 Registers — Complete Request/Response Cycle

Master reads 2 holding registers from slave 0x02, starting at address 0x0010 (registers 40017 and 40018). These could represent, for example, active power high and low bytes from an energy meter.

Master request frame — 8 bytes: 

Byte:  [  1  ] [  2  ] [  3  ] [  4  ] [  5  ] [  6  ] [  7  ] [  8  ]
Field: [Slave ] [ FC  ] [RegHi] [RegLo] [QtyHi] [QtyLo] [CRCLo] [CRCHi]
Hex:   [ 0x02 ] [0x03 ] [0x00 ] [0x10 ] [0x00 ] [0x02 ] [0xC4 ] [0x38 ]

Slave response frame — 9 bytes: 

Byte:  [  1  ] [  2  ] [  3  ] [  4  ] [  5  ] [  6  ] [  7  ] [  8  ] [  9  ]
Field: [Slave ] [ FC  ] [ByteCt] [R1Hi ] [R1Lo ] [R2Hi ] [R2Lo ] [CRCLo] [CRCHi]
Hex:   [ 0x02 ] [0x03 ] [ 0x04 ] [0x00 ] [0xC8 ] [0x01 ] [0x2C ] [0x77 ] [0xDF ]

Both frames in Modbus RTU binary, 8N1 (LSB first): 

REQUEST:
           [S] D0  D1  D2  D3  D4  D5  D6  D7 [P]
0x02 Addr:  0   0   1   0   0   0   0   0   0   1
0x03 FC:    0   1   1   0   0   0   0   0   0   1
0x00 RegHi: 0   0   0   0   0   0   0   0   0   1
0x10 RegLo: 0   0   0   0   0   1   0   0   0   1
0x00 QtyHi: 0   0   0   0   0   0   0   0   0   1
0x02 QtyLo: 0   0   1   0   0   0   0   0   0   1
0xC4 CRCLo: 0   0   0   1   0   0   0   1   1   1
0x38 CRCHi: 0   0   0   0   1   1   1   0   0   1

[— 3.5 char silent gap (~3.6ms) — bus released by master — slave begins responding —]

RESPONSE:
           [S] D0  D1  D2  D3  D4  D5  D6  D7 [P]
0x02 Addr:  0   0   1   0   0   0   0   0   0   1
0x03 FC:    0   1   1   0   0   0   0   0   0   1
0x04 BytCt: 0   0   0   1   0   0   0   0   0   1
0x00 R1Hi:  0   0   0   0   0   0   0   0   0   1
0xC8 R1Lo:  0   0   0   0   1   0   0   1   1   1
0x01 R2Hi:  0   1   0   0   0   0   0   0   0   1
0x2C R2Lo:  0   0   0   1   1   0   1   0   0   1
0x77 CRCLo: 0   1   1   1   0   1   1   1   0   1
0xDF CRCHi: 0   1   1   1   1   1   0   1   1   1

Decoding the two register values from the response (Big Endian): 

Register 1 (40017):
  High byte 0x00 = 0 × 256 =   0
  Low  byte 0xC8 = 200
  Value = 200

Register 2 (40018):
  High byte 0x01 = 1 × 256 = 256
  Low  byte 0x2C = 44
  Value = 256 + 44 = 300

If these were active power registers with a scale factor of ÷10: Register 1 = 20.0 kW, Register 2 = 30.0 kW

Transmission times at 9600 baud, 8N1: 

Request:   8 bytes × 10 bits × 104µs =  8.32ms
Silent gap:                           ~  3.60ms
Response:  9 bytes × 10 bits × 104µs =  9.36ms
                                        ───────
Total cycle time:                      ~21.28ms
Retrieved from "https://bmspedia.com/index.php?title=Modbus&oldid=80"