Modbus RTU Protocol
The most widely used serial communication protocol for industrial automation, SCADA systems, and PLC networks.
Type
Serial Protocol
Speed
Up to 115.2 kbps
Max Devices
247
Standard
Modicon 1979
What is Modbus RTU?
Modbus RTU is one of the most widely used serial communication protocols in industrial automation. RTU stands for Remote Terminal Unit, referring to the compact binary encoding format that makes it efficient for serial links.
Created by Modicon (now Schneider Electric) in 1979, Modbus RTU was designed to connect programmable logic controllers (PLCs) in factory environments. It remains an open protocol with no licensing fees, which has contributed to its widespread adoption across vendors and industries.
Unlike its ASCII counterpart, Modbus RTU uses binary encoding for compact and efficient data transmission. This makes it the preferred choice when bandwidth and speed matter on serial links.
How Modbus RTU Communication Works
Modbus RTU follows a master-slave architecture. A single master device initiates all communication on the bus. Slaves never transmit unless they are responding to a request from the master.
The communication cycle is straightforward: the master sends a request frame addressed to a specific slave, and that slave processes the request and sends a response. Address 0 is reserved for broadcast messages, where the master sends a command to all slaves with no response expected.
The physical layer typically uses RS-485, which supports multi-drop connections with up to 247 addressable slave devices on a single bus segment. RS-232 can also be used for simple point-to-point connections. Each slave is assigned a unique address from 1 to 247.
Modbus RTU Frame Structure
A Modbus RTU frame consists of four fields: the slave address (1 byte), function code (1 byte), data (variable length, up to 252 bytes), and a CRC-16 checksum (2 bytes). The total maximum frame size is 256 bytes.
Unlike many protocols, Modbus RTU does not use start or stop characters to delimit frames. Instead, framing relies on timing. Each frame must be preceded and followed by a silence period of at least 3.5 character times. If a gap longer than 1.5 character times occurs within a frame, the receiver discards it as incomplete.
Error detection uses CRC-16 (Cyclic Redundancy Check). The transmitter calculates a 16-bit CRC over the address, function code, and data fields, and appends it to the frame. The receiver recalculates the CRC and compares. Any mismatch indicates a corrupted frame.
Modbus RTU Function Codes
Function codes define what operation the master wants the slave to perform. Here are the most commonly used Modbus function codes:
| Code | Name | Description |
|---|---|---|
0x01 | Read Coils | Read discrete outputs (on/off) |
0x02 | Read Discrete Inputs | Read discrete inputs |
0x03 | Read Holding Registers | Read 16-bit registers |
0x04 | Read Input Registers | Read input registers |
0x05 | Write Single Coil | Write one output |
0x06 | Write Single Register | Write one register |
0x0F | Write Multiple Coils | Write multiple outputs |
0x10 | Write Multiple Registers | Write multiple registers |
Modbus RTU Request and Response Examples
Below are real-world Modbus RTU request and response examples shown in hexadecimal. Each byte is separated by a space for readability.
Example 1: Read Holding Registers (Function Code 0x03)
The master reads 2 holding registers starting at address 40001 (register 0) from slave device 1. This is the most common Modbus operation, often used to read sensor values, setpoints, or device status.
Request (Master to Slave)
01 03 00 00 00 02 C4 0BResponse (Slave to Master)
01 03 04 00 64 00 C8 FA 33Example 2: Write Single Register (Function Code 0x06)
The master writes the value 500 (0x01F4) to holding register 40002 (register 1) on slave device 1. This is commonly used to update setpoints, control outputs, or configure device parameters.
Request (Master to Slave)
01 06 00 01 01 F4 D8 5AResponse (Slave to Master)
01 06 00 01 01 F4 D8 5AFor a successful write, the slave echoes the exact request back. An identical response confirms the register was written successfully.
Example 3: Write Single Coil (Function Code 0x05)
The master turns on coil 0 on slave device 2. Coils represent discrete outputs (on/off). The value FF 00 means ON, and 00 00 means OFF.
Request (Master to Slave)
02 05 00 00 FF 00 8C 09Response (Slave to Master)
02 05 00 00 FF 00 8C 09Echoed request confirms the coil was turned on successfully.
Example 4: Error Response
When a slave cannot process a request, it returns an exception response. The function code has its high bit set (0x83 instead of 0x03), followed by an exception code.
Error Response (Slave to Master)
01 83 02 C0 F1Modbus RTU Exception (Error) Codes
When a slave device cannot fulfill a request, it returns an exception response instead of the normal response. The function code in the response has its most significant bit set (original code + 0x80), followed by a single-byte exception code that identifies the error.
For example, if a Read Holding Registers request (function code 0x03) fails, the slave responds with function code 0x83. The exception code byte that follows tells the master exactly what went wrong.
| Code | Name | Meaning |
|---|---|---|
0x01 | Illegal Function | The function code in the request is not supported by the slave device. |
0x02 | Illegal Data Address | The register or coil address in the request is not valid for the slave. The address may not exist or the range extends beyond available registers. |
0x03 | Illegal Data Value | The value in the request data field is not acceptable. For example, writing an out-of-range value to a register, or an invalid quantity of registers. |
0x04 | Slave Device Failure | An unrecoverable error occurred while the slave was processing the request. This is a general-purpose error for internal device faults. |
0x05 | Acknowledge | The slave has accepted the request but needs a long time to process it. The master should poll later to check completion. |
0x06 | Slave Device Busy | The slave is currently processing a long-duration command and cannot accept a new request. The master should retry later. |
0x08 | Memory Parity Error | The slave detected a parity error in its internal memory. This indicates a hardware fault in the slave device. |
0x0A | Gateway Path Unavailable | Used with gateways. The gateway could not establish a path to the target device on the downstream network. |
0x0B | Gateway Target Failed to Respond | Used with gateways. The target device on the downstream network did not respond within the expected timeout. |
If the master receives no response at all (timeout), it typically means the slave is offline, the address is wrong, or there is a wiring or bus configuration issue. Modbus RTU does not have a specific error code for timeouts because the slave simply does not respond.
Key Features of Modbus RTU
- Simple and reliable: minimal protocol overhead with straightforward request-response communication.
- Low overhead: binary encoding keeps frames compact, maximizing throughput on bandwidth-limited serial links.
- Well-supported across vendors: virtually every industrial device manufacturer supports Modbus RTU.
- Deterministic timing: the master-slave architecture ensures predictable communication patterns.
- Long cable runs: RS-485 supports distances up to 1200 meters on a single bus segment without repeaters.
Common Use Cases for Modbus RTU
- SCADA systems: supervisory control and data acquisition for monitoring remote equipment.
- Building automation: HVAC systems, lighting controls, and energy management.
- Energy monitoring: power meters, smart grid devices, and utility substation equipment.
- Water/wastewater treatment: pump stations, flow meters, and chemical dosing systems.
- Manufacturing automation: PLCs, variable frequency drives (VFDs), and motor controllers.
Frequently Asked Questions About Modbus RTU
What is the difference between Modbus RTU and Modbus ASCII?
Modbus RTU uses binary encoding, while Modbus ASCII represents each byte as two hexadecimal ASCII characters. This makes RTU roughly twice as compact and faster for the same baud rate. RTU is the preferred choice in most industrial applications. ASCII is sometimes used when human readability or compatibility with older systems is needed.
How many devices can be on a Modbus RTU network?
A Modbus RTU network supports up to 247 slave devices and one master. Slave addresses range from 1 to 247, with address 0 reserved for broadcast messages. In practice, the number of electrical devices on an RS-485 segment may be limited by the transceiver unit load (typically 32 standard unit loads without repeaters).
What cable type does Modbus RTU use?
Modbus RTU most commonly uses RS-485 twisted-pair cable, which supports multi-drop connections over distances up to 1200 meters. RS-232 can also be used for simple point-to-point connections over shorter distances (typically up to 15 meters). Shielded twisted pair is recommended in electrically noisy industrial environments.
Is Modbus RTU still relevant in modern industrial automation?
Absolutely. Modbus RTU has an installed base of millions of devices worldwide and is still specified in new projects. Its simplicity, reliability, and vendor support make it a practical choice for serial communication in industrial settings. Many modern devices support both Modbus RTU and Modbus TCP for flexibility.
What baud rates does Modbus RTU support?
Common baud rates are 9600, 19200, 38400, 57600, and 115200 bps. 9600 baud is the most widely used default. All devices on the same bus must be configured to the same baud rate, data bits (typically 8), parity (even, odd, or none), and stop bits (1 or 2).
Related Protocols
- Modbus TCP: Modbus over TCP/IP for Ethernet-based industrial networks.
- HTTP: the foundational request-response protocol of the web.
- HTTPS: HTTP with TLS encryption for secure web communication.