· Industrial Protocols · 3 min read
Modbus RTU & TCP: The Definitive Industrial Protocol Guide
Endianness, Function Codes, Offsets and the real difference between RTU and TCP. Everything you need to know to stop struggling with PLC integration.
If you work in industrial automation, Modbus is your daily bread. It is the “Esperanto” of machines: old, simple, and supported by absolutely everyone.
But that simplicity is deceptive. “It’s just Modbus” is the famous phrase before losing 3 days fighting with a byte that is backwards. This guide covers what the manuals don’t tell you.
1. The Data Model: The 4 Tables
Modbus doesn’t know what a “temperature” or a “velocity” is. It only sees 4 distinct data tables. Understanding this is 80% of the battle.
| Type | Access | Size | Typical Address | Usage |
|---|---|---|---|---|
| Coils (0x) | Read/Write | 1 bit | 00001 - 09999 | Digital Outputs (Relays, LEDs) |
| Discrete Inputs (1x) | Read Only | 1 bit | 10001 - 19999 | Digital Inputs (Sensors, Buttons) |
| Input Registers (3x) | Read Only | 16 bit | 30001 - 39999 | Raw Analog Data (ADC, Sensors) |
| Holding Registers (4x) | Read/Write | 16 bit | 40001 - 49999 | Setpoints, Configs, Float Values |
Trap #1: Many modern devices map EVERYTHING to Holding Registers (40001) for simplicity. But if you try to write to a register defined by the manufacturer as “Read Only”, you will get an Exception 02 (Illegal Data Address).
2. RTU vs TCP: More than just a different cable
The difference isn’t just RS485 vs Ethernet. The frame structure changes.
Modbus RTU (Serial)
Based on silence intervals.
- Slave ID (1 byte): Who you are talking to.
- PDU (Protocol Data Unit): Function + Data.
- CRC (2 bytes): Cyclic Redundancy Check. Critical. If a bit is corrupted by noise, the CRC fails and the slave ignores the message. It doesn’t respond “error”, it just stays silent.
Modbus TCP (Ethernet)
Wraps the PDU inside a TCP/IP packet.
- MBAP Header (7 bytes): Replaces the CRC.
- Transaction ID: To match requests/responses (async).
- Unit ID: Used when talking to a TCP->RTU Gateway. If talking directly to a PLC, it’s often ignored (0 or 255), but if you pass through a gateway, this byte is the final serial slave address.
3. The Endianness Hell (Byte Swap)
Modbus defines a register as 16 bits [High Byte, Low Byte]. Simple. But what happens with a 32-bit Float (e.g., 24.5 °C)? You need 2 registers.
There is no standard here. Every manufacturer sends bytes in whatever order they want:
- Big-Endian (Standard):
AB CD(Most common). - Little-Endian (Byte Swap):
DC BA(Common in PC/x86). - Mid-Big Endian (Word Swap):
CD AB(Common in old PLCs). - Mid-Little Endian:
BA DC.
Pro Tip: If you read a value that should be
220.5and you see0.0045or1.5e32, you have an Endianness problem. Don’t try to “scale” it. Rotate the bytes.
4. Addressing: 0 vs 1
- PLC Documentation: Says “Register 40001”.
- The Wire (Protocol): Requests address
0.
The protocol is Zero-Based.
- 40001 in manual -> Address 0 on wire.
- 40100 in manual -> Address 99 on wire.
If your SCADA software (Ignition, Node-RED) asks for “Modbus Address”, sometimes they expect the 40001 format and do the subtraction themselves. Other low-level libraries (pymodbus) expect the raw 0. Always check if your driver uses “1-based” or “0-based” addressing.
Summary
Don’t underestimate Modbus. It is robust because it is simple, but it is fragile if you don’t respect its rules:
- Verify if it’s Coil, Input, or Holding.
- Align Endianness for Floats and Longs.
- Subtract 1 from the address if using low-level libraries.
- In TCP, the Unit ID matters if there are gateways.
