Function code descriptions
FC 3 (03h) Read Input Registers / FC 4 (04h) Read Holding Registers
With this function code, one 16-bit value or multiple 16-bit values can be read. This function can be applied to NanoJ objects (see NanoJ objects) or process data objects (min. 4-byte alignment, see Process data objects (PDO)).
Request | ||
---|---|---|
Name | Length | Value |
Slave address | 1 byte | |
Function code | 1 byte | 03h / 04h |
Start address | 2 bytes | 0000h to FFFFh |
Number of registers | 2 bytes | 1 to (7Dh) |
CRC | 2 bytes |
Response ("M" corresponds to the number of registers to be read) | ||
---|---|---|
Name | Length | Value |
Slave address | 1 byte | |
Function code | 1 byte | 03h / 04h |
Number of bytes | 1 byte | 2 * M |
Register value | 2 bytes | |
CRC | 2 bytes |
Error | ||
---|---|---|
Name | Length | Value |
Slave address | 1 byte | |
Error code | 1 byte | 83h / 84h |
Exception code (see Exception codes) | 1 byte | 01, 02, 03 or 04 |
CRC | 2 bytes |
Example |
|
Below is an example of a read request and response of register 5000 (1388h) and of the following register (2 registers):
|
FC 6 (06h) Write Single Register
This function code can be used to write a single 16-bit value. The function can be used on process data objects (see Process data objects (PDO)).
Request | ||
---|---|---|
Name | Length | Value |
Slave address | 1 byte | |
Function code | 1 byte | 06h |
Register address | 2 bytes | 0000h to FFFFh |
Register value | 2 bytes | 0000h to FFFFh |
CRC | 2 bytes |
Response | ||
---|---|---|
Name | Length | Value |
Slave address | 1 byte | |
Function code | 1 byte | 06h |
Register address | 2 bytes | 0000h to FFFFh |
Register value | 2 bytes | 0000h to FFFFh |
CRC | 2 bytes |
Error | ||
---|---|---|
Name | Length | Value |
Error code | 1 byte | 86h |
Exception code (see Exception codes) | 1 byte | 01, 02, 03 or 04 |
CRC | 2 bytes |
Example |
|
Below is an example of a write request and response in register 6000 (1770h) with the value "0001h":
|
FC 16 (10h) Write Multiple Registers
With this function code, one 16-bit value or multiple 16-bit values can be written. The function can be applied to NanoJ objects (see Process data objects (PDO)) or process data objects (see NanoJ objects).
Request ("N" is the number of registers to be written) | ||
---|---|---|
Name | Length | Value |
Slave address | 1 byte | |
Function code | 1 byte | 10h |
Start address | 2 bytes | 0000h to FFFFh |
Number of registers | 2 bytes | 0001h to 007Bh |
Number of bytes | 1 byte | 2 * N |
Register value | N * 2 bytes | |
CRC | 2 bytes |
Response | ||
---|---|---|
Name | Length | Value |
Slave address | 1 byte | |
Function code | 1 byte | 10h |
Start address | 2 bytes | 0000h to FFFFh |
Number of registers | 2 bytes | 0001h to 007Bh |
CRC | 2 bytes |
Error | ||
---|---|---|
Name | Length | Value |
Slave address | 1 byte | |
Error code | 1 byte | 90h |
Exception code (see Exception codes) | 1 byte | 01, 02, 03 or 04 |
CRC | 2 bytes |
Example |
|
Below is an example for writing values "0102h" and "0304h" starting with register address 6000 (1770h), number of registers is 2, length of the data is 4:
|
FC 17 (11h) Report Server ID
This function code can be used to read the description of the type, the current status and other information about the device.
Request | ||
---|---|---|
Name | Length | Value |
Slave address | 1 byte | |
Function code | 1 byte | 11h |
CRC | 2 bytes |
Response | ||
---|---|---|
Name | Length | Value |
Slave address | 1 byte | |
Function code | 1 byte | 03h |
Number of bytes | 1 byte | 01h |
Run Indicator Status | 1 byte | 00h = OFF, FFh = ON |
Additional data | ||
CRC | 2 bytes |
Error | ||
---|---|---|
Name | Length | Value |
Slave address | 1 byte | |
Error code | 1 byte | 91h |
Exception code (see Exception codes) | 1 byte | 01 or 04 |
CRC | 2 bytes |
Example |
|
Below is an example of a request/response for ID and status:
|
FC 23 (17h) Read/Write Multiple registers
With this function code, one 16-bit value or multiple 16-bit values can be simultaneously read and written. The function can be applied to NanoJ objects (see Process data objects (PDO)) or process data objects (see NanoJ objects).
Request ("N" is the number of registers to be read): | ||
---|---|---|
Name | Length | Value |
Slave address | 1 byte | |
Function code | 1 byte | 17h |
Read: Start address | 2 bytes | 0000h to FFFFh |
Read: Number of registers | 2 bytes | 0001h to 0079h |
Write: Start address | 2 bytes | 0000h to FFFFh |
Write: Number of registers | 2 bytes | 0001h to 0079h |
Write: Number of bytes | 1 byte | 2 * N |
Write: Register value | N * 2 bytes | |
CRC | 2 bytes |
Response ("M" corresponds to the number of bytes to be written): | ||
---|---|---|
Name | Length | Value |
Slave address | 1 byte | |
Function code | 1 byte | 17h |
Number of bytes | 1 byte | 2 * M |
Registers read | M * 2 bytes | |
CRC | 2 bytes |
Error | ||
---|---|---|
Name | Length | Value |
Slave address | 1 byte | |
Error code | 1 byte | 97h |
Exception code (see Exception codes) | 1 byte | 01, 02, 03 or 04 |
CRC | 2 bytes |
Example |
|
Below is an example for reading two registers beginning with register 5000 (1388h) and for writing two registers beginning with register 6000 (1770h) with 4 bytes and data "0102h" and "0304h":
|
FC 8 (08h) Diagnostics
Modbus function code FC08 offers numerous tests for checking the communication system between client and server or for checking various internal error states within the server.
This function uses a two-byte subfunction code in the request for defining the type of test. In a normal response, the server repeats both, the function and the subfunction code. Some diagnoses contain data of the device in the data field of the normal response.
Name | Length | Value |
---|---|---|
Function code | 1 byte | 08h |
Subfunction code | 2 bytes | |
Data | N x 2 bytes |
Name | Length | Value |
---|---|---|
Function code | 1 byte | 08h |
Subfunction code | 2 bytes | |
Data | N x 2 bytes |
Name | Length | Value |
---|---|---|
Function code | 1 byte | 88h |
Exception code (see Exception codes) | 1 byte | 01 or 03 or 04 |
FC 8.10 (08h.0Ah) Clear Counters and Diagnostic Register
The objective of this request is to reset all counters and diagnosis registers. Counters are also reset when the controller is switched on.
Subfunction | Data range | |
---|---|---|
Request | Response | |
00h 0Ah | 00h - 00h | Echo of the request data |
Example |
|
|
FC 8.11 (08h.0Bh) Return Bus Message Count
The response data range returns the number of messages detected by the communications system since the last restart, "Clear Counters and Diagnostic Register" request, or switching on of the controller.
Subfunction | Data range | |
---|---|---|
Request | Response | |
00h 0Bh | 00h - 00h | Total Message Count |
FC 8.12 (08h.0Ch) Return Bus Communication Error Count
The response data range returns the number of CRC errors since the last restart, "Clear Counters and Diagnostic Register" request, or switching on of the controller.
Subfunction | Data range | |
---|---|---|
Request | Response | |
00h 0Ch | 00h - 00h | CRC Error Count |
Example |
|
|
FC 8.13 (08h.0Dh) Return Bus Exception Error Count
The response data range returns the number of Modbus exceptions since the last restart, "Clear Counters and Diagnostic Register" request, or switching on of the controller.
Subfunction | Data range | |
---|---|---|
Request | Response | |
00h 0Dh | 00h - 00h | Exception Error Count |
Example |
|
|
FC 8.14 (08h.0Eh) Return Server Message Count
The response data range returns the number of messages addressed to the device and the number of broadcast messages that were processed by the controller. The number of messages since the last restart, "Clear Counters and Diagnostic Register" request, or switching on of the controller are counted.
Subfunction | Data range | |
---|---|---|
Request | Response | |
00h 0Eh | 00h - 00h | Server Message Count |
Example |
|
|
FC 8.15 (08h.0Fh) Return Server No Response Count
The response data range returns the number of messages addressed to the controller for which no response was returned (neither normal response nor exception response). The number of messages since the last restart, "Clear Counters and Diagnostic Register" request, or switching on of the controller are counted.
Subfunction | Data range | |
---|---|---|
Request | Response | |
00h 0Fh | 00h - 00h | No Response Count |
Example |
|
|
FC 8.16 (08h.10h) Return Server NAK Count
The response data range returns the number of messages for which a "Negative Acknowledge (NAK)" exception response was returned. The number of messages since the last restart, "Clear Counters and Diagnostic Register" request, or switching on of the controller are counted.
Subfunction | Data range | |
---|---|---|
Request | Response | |
00h - 10h | 00h - 00h | Server NAK Count |
Example |
|
|
FC 8.17 (08h.11h) Return Server Busy Count
The response data range returns the number of messages for which a "Server Device Busy" exception response was returned. The number of messages since the last restart, "Clear Counters and Diagnostic Register" request, or switching on of the controller are counted.
Subfunction | Data range | |
---|---|---|
Request | Response | |
00h - 11h | 00h - 00h | Server NAK Count |
Example |
|
|
FC 8.18 (08h.12h) Return Bus Character Overrun Count
The response data range returns the number of messages addressed to the controller that could not be processed due to a character overrun. The number of messages since the last restart, "Clear Counters and Diagnostic Register" request, or switching on of the controller are counted. A character overrun occurs when characters arrive at the controller faster than they can be stored or by the loss of a character due to a hardware malfunction.
Subfunction | Data range | |
---|---|---|
Request | Response | |
00h - 12h | 00h - 00h | Server Character Overrun Count |
Example |
|
|
FC 43 (2Bh) Encapsulated Interface Transport
This function facilitates simple access of the CANopen object dictionary. Further details can be found in the following documentation:
- MODBUS APPLICATION PROTOCOL SPECIFICATION V1.1b3, Date: 26.04.2014, Version: 1.1b3
- CiA 309 Draft Standard Proposal - Access from other networks - Part 2: Modbus/TCP mapping V1.3, Date: 30.07.2015, Version: 1.3
Definition of the request and response:
Name | Length | Example/number range |
---|---|---|
Slave address | 1 byte | |
Function code | 1 byte | 2Bh (43d) |
MEI type | 1 byte | 0Dh (13d) |
Protocol options Range | 2 to 5 bytes | |
Address and data range | N bytes | |
CRC | 2 bytes |
Protocol options Range
Name | Length | Example/number range |
---|---|---|
Protocol control | 1 to 2 bytes | See description |
Reserved | 1 byte | Always 0 |
(Optional) Counter byte | 1 byte | |
(Optional) Network ID | 1 byte | |
(Optional) Encoded data | 1 byte |
Protocol control:
The "Protocol control" field contains the flags that are needed for controlling the message protocols. The bytes of the "Protocol control" field are defined as follows if the "extended" flag was set (the second byte is otherwise omitted):
The most significant bit (MSB) is bit 0 for "protocol control" byte 1 and bit 8 for "protocol control" byte 2. The least significant bit (LSB) is bit 7 for "protocol control" byte 1 and bit 15 for "protocol control" byte 2.
Bit | Name | Description |
---|---|---|
0 | "Extended" flag | This bit is used if the object dictionary data set is larger than would fit in a Modbus command. The data set then spans over multiple Modbus messages; each message contains part of the data set. "0" = No multiple message transaction or the end of the multiple message transaction. "1" = Part of a multiple message transaction. |
1 | Extended protocol control | Length of the protocol control, the value "0" indicates a length of 1 byte, the value "1" indicates a length of 2 bytes. |
2 | Counter byte option | This bit is set to "1" to indicate that the "counter byte" field is used in this message. If this bit is set to "0", the "counter byte" field does not exist in this message. |
3 and 4 | Reserved | 0 |
5 | Network ID option | Not supported, must be "0". |
6 | Encoded data option | Not supported, must be "0". |
7 | Access flag | This bit indicates the access method of the requested command. "0" = read, "1" = write. |
8 to 15 | Reserved | 0 |
Address and data range
The address and data range is defined in the following table:
Name | Byte size and byte order | Example / range |
---|---|---|
Node-ID | 1 byte | 01h to 7Fh |
Index | 1 byte, high | 0000h to FFFFh |
1 byte, low | ||
Subindex | 1 byte | 00h to FFh |
Start address | 1 byte, high | 0000h to FFFFh |
1 byte, low | ||
Number of data values | 1 byte, high | 0000h to 00FDh |
1 byte, low | ||
Write/read data | n bytes | The data are encoded as described in chapter General. |
Example:
To read object 6042h:00h (16-bit value), the following message must be sent by the master (all values are in hexadecimal notation, the slave ID of the controller is "5").
- Request
- Response
Shown as an additional example below, a sequence of Modbus messages is sent from the master to the slave to rotate the motor in "Velocity" mode:
Below are two examples for reading an object:
Error reaction
In the event of an error, the following error message is sent:
Name | Length | Example value |
---|---|---|
Slave address | 1 byte | |
Function code | 1 byte | 2Bh +80h (171d = 43d + 128d) (indicates error) |
Modbus exception code | 1 byte | FFh ("extended exception") |
Extended exception length | 2 bytes | 6 |
MEI type | 1 byte | 0Dh |
Exception code | 1 byte | CEh |
Error code | 4 bytes | CANopen error code, see following table |
CRC | 2 bytes |
CANopen error code | Description |
---|---|
FFFF0000h | Abort no error |
FFFF1003h | Service is not supported |
FFFF1004h | Gap in counter byte of the Protocol control field |
FFFF0003h | Unknown or invalid command |
FFFF0008h | Access to the object is not supported |
FFFF000Eh | General error in the parameter |
FFFF0011h | Length of parameter incorrect |
FFFF0012h | Parameter too long |
FFFF0013h | Parameter too short |
FFFF0015h | Parameter data outside of the permissible value range (for write commands) |
FFFF0016h | Parameter data exceed the permissible value range (for write commands) |
FFFF0017h | Parameter data below the permissible value range (for write commands) |
FFFF0018h | Maximum entered values less than minimum values |
FFFF0019h | General error |
FFFF001Eh | Requested object is too large for single message |
FFFF1004h | Invalid sequence of messages (e. g., if the value of the counter byte is not correct according to the previous request or response) |
In the event that the unsupported control option bit is set, the following error message is sent:
Name | Length | Example value |
---|---|---|
Slave address | 1 byte | |
Function code | 1 byte | 2Bh +80h (171d = 43d + 128d) (indicates error) |
Modbus exception code | 1 byte | FFh ("extended exception") |
Extended exception length | 2 bytes | 2 + length of "supported protocol control" |
MEI type | 1 byte | 0Dh |
Exception code | 1 byte | AEh |
Supported protocol control | 1 or 2 bytes | See following table |
CRC | 2 bytes |
Bit | Name | Description |
---|---|---|
0 | "Extended" flag | This bit is used if the object dictionary data set is larger than would fit in a Modbus command. The data set then spans over multiple Modbus messages; each message contains part of the data set. "0" = No multiple message transaction or the end of the multiple message transaction. "1" = Part of a multiple message transaction. |
1 | Extended protocol control | Length of the protocol control, the value "0" indicates a length of 1 byte, the value "1" indicates a length of 2 bytes. |
2 | Counter byte option | This bit is set to "1" to indicate that the "counter byte" field is used in this message. If this bit is set to "0", the "counter byte" field does not exist in this message. |
3 and 4 | Reserved | 0 |
5 | Network ID option | Not supported, must be "0". |
6 | Encoded data option | Not supported, must be "0". |
7 | Access flag | This bit indicates the access method of the requested command. "0" = read, "1" = write. |
8 to 15 | Reserved | 0 |
The following example shows an error in the event of a faulty request. The request reads 6061h:00 with a length of 2 bytes, but the object has a size of just 1 byte:
- Request
- Response
FC 101 (65h) Read complete object dictionary
This function code is used to read out the complete object dictionary.
To start or restart the reading out of the object dictionary, subfunction code 55
h must be sent. This code resets reading out of the object dictionary on object 0000h. All subsequent object dictionary frames must then contain subfunction code AA
h. At the end, once all objects have been read out, an "Error Response" is generated with the abort code "No data available".
The format of each "read object" is as follows:
Name | Length | Value / note |
---|---|---|
Slave address | 1 byte | |
Function code | 1 byte | 65h |
Subfunction code | 1 byte | 55h or AAh |
Length of the data | 1 byte | 00h |
CRC | 2 bytes |
Name | Length | Value / note |
---|---|---|
Slave address | 1 byte | 65h |
Function code | 1 byte | |
Subfunction code | 1 byte | |
Length of the data | 1 byte | |
n times "object dictionary frame" | 1 - 252 bytes | |
CRC | 2 bytes |
Name | Value / note | |
---|---|---|
Index Low Byte | 1 byte | |
Index High Byte | 1 byte | |
Subindex | 1 byte | |
Number of bytes | 1 byte | Number m of the valid data in the data field |
Data byte | m-1 byte |
Example
All of the following numerical values are in hexadecimal format. The address of the slave is "5".
Start reading of the object dictionary with request:
The response is:
Read out the next part of the object dictionary with the request:
The response is:
Repeat reading of the object dictionary with the previous request until the response is an error:
Error reaction
In the event of an error, the following error message is sent:
Name | Length | Example value |
---|---|---|
Slave address | 1 byte | |
Function code | 1 byte | 2Bh +80h (171d = 43d + 128d) (indicates error) |
Modbus exception code | 1 byte | FFh ("extended exception") |
Extended exception length | 2 bytes | 6 |
MEI type | 1 byte | 0Dh |
Exception code | 1 byte | CEh |
Error code | 4 bytes | CANopen error code, see following table |
CRC | 2 bytes |
CANopen error code | Description |
---|---|
FFFF0000h | Abort no error |
FFFF1003h | Service is not supported |
FFFF1004h | Gap in counter byte of the Protocol control field |
FFFF0003h | Unknown or invalid command |
FFFF0008h | Access to the object is not supported |
FFFF000Eh | General error in the parameter |
FFFF0011h | Length of parameter incorrect |
FFFF0012h | Parameter too long |
FFFF0013h | Parameter too short |
FFFF0015h | Parameter data outside of the permissible value range (for write commands) |
FFFF0016h | Parameter data exceed the permissible value range (for write commands) |
FFFF0017h | Parameter data below the permissible value range (for write commands) |
FFFF0018h | Maximum entered values less than minimum values |
FFFF0019h | General error |
FFFF001Eh | Requested object is too large for single message |
FFFF1004h | Invalid sequence of messages (e. g., if the value of the counter byte is not correct according to the previous request or response) |
In the event that the unsupported control option bit is set, the following error message is sent:
Name | Length | Example value |
---|---|---|
Slave address | 1 byte | |
Function code | 1 byte | 2Bh +80h (171d = 43d + 128d) (indicates error) |
Modbus exception code | 1 byte | FFh ("extended exception") |
Extended exception length | 2 bytes | 2 + length of "supported protocol control" |
MEI type | 1 byte | 0Dh |
Exception code | 1 byte | AEh |
Supported protocol control | 1 or 2 bytes | See following table |
CRC | 2 bytes |
Bit | Name | Description |
---|---|---|
0 | "Extended" flag | This bit is used if the object dictionary data set is larger than would fit in a Modbus command. The data set then spans over multiple Modbus messages; each message contains part of the data set. "0" = No multiple message transaction or the end of the multiple message transaction. "1" = Part of a multiple message transaction. |
1 | Extended protocol control | Length of the protocol control, the value "0" indicates a length of 1 byte, the value "1" indicates a length of 2 bytes. |
2 | Counter byte option | This bit is set to "1" to indicate that the "counter byte" field is used in this message. If this bit is set to "0", the "counter byte" field does not exist in this message. |
3 and 4 | Reserved | 0 |
5 | Network ID option | Not supported, must be "0". |
6 | Encoded data option | Not supported, must be "0". |
7 | Access flag | This bit indicates the access method of the requested command. "0" = read, "1" = write. |
8 to 15 | Reserved | 0 |
The following example shows an error in the event of a faulty request. The request reads 6061h:00 with a length of 2 bytes, but the object has a size of just 1 byte:
- Request
- Response
FC 102 (66h) Read complete array or record
This function code is used to read out the complete array or record from the object dictionary.
To start or restart the reading out of the array, subfunction code 55
h must be sent. This code resets reading out on the object with subindex 00h. All subsequent requests must then contain subfunction code AA
h. At the end, once all objects have been read out, an "Error Response" is generated.
The format of each "read object" is as follows:
Name | Length | Value / note |
---|---|---|
Slave address | 1 byte | |
Function code | 1 byte | 66h |
Subfunction code | 1 byte | 55h or AAh |
Length of the data | 1 byte | 00h |
Index of the array to be read | 2 bytes | |
CRC | 2 bytes |
Name | Length | Value / note |
---|---|---|
Slave address | 1 byte | 65h |
Function code | 1 byte | |
Subfunction code | 1 byte | |
Length of the data | 1 byte | |
n times object dictionary frame | 1 - 252 bytes | |
CRC | 2 bytes |
Name | Value / note | |
---|---|---|
Index Low Byte | 1 byte | |
Index High Byte | 1 byte | |
Subindex | 1 byte | |
Number of bytes | 1 byte | Number m of the valid data in the data field |
Data byte | m-1 byte |
Example
All of the following numerical values are in hexadecimal format; the index of the object that is to be read is 2400h. The address of the slave is "5"h.
Start reading of the array with request:
The response is:
Error reaction
In the event of an error, the following error message is sent:
Name | Length | Example value |
---|---|---|
Slave address | 1 byte | |
Function code | 1 byte | 2Bh +80h (171d = 43d + 128d) (indicates error) |
Modbus exception code | 1 byte | FFh ("extended exception") |
Extended exception length | 2 bytes | 6 |
MEI type | 1 byte | 0Dh |
Exception code | 1 byte | CEh |
Error code | 4 bytes | CANopen error code, see following table |
CRC | 2 bytes |
CANopen error code | Description |
---|---|
FFFF0000h | Abort no error |
FFFF1003h | Service is not supported |
FFFF1004h | Gap in counter byte of the Protocol control field |
FFFF0003h | Unknown or invalid command |
FFFF0008h | Access to the object is not supported |
FFFF000Eh | General error in the parameter |
FFFF0011h | Length of parameter incorrect |
FFFF0012h | Parameter too long |
FFFF0013h | Parameter too short |
FFFF0015h | Parameter data outside of the permissible value range (for write commands) |
FFFF0016h | Parameter data exceed the permissible value range (for write commands) |
FFFF0017h | Parameter data below the permissible value range (for write commands) |
FFFF0018h | Maximum entered values less than minimum values |
FFFF0019h | General error |
FFFF001Eh | Requested object is too large for single message |
FFFF1004h | Invalid sequence of messages (e. g., if the value of the counter byte is not correct according to the previous request or response) |
In the event that the unsupported control option bit is set, the following error message is sent:
Name | Length | Example value |
---|---|---|
Slave address | 1 byte | |
Function code | 1 byte | 2Bh +80h (171d = 43d + 128d) (indicates error) |
Modbus exception code | 1 byte | FFh ("extended exception") |
Extended exception length | 2 bytes | 2 + length of "supported protocol control" |
MEI type | 1 byte | 0Dh |
Exception code | 1 byte | AEh |
Supported protocol control | 1 or 2 bytes | See following table |
CRC | 2 bytes |
Bit | Name | Description |
---|---|---|
0 | "Extended" flag | This bit is used if the object dictionary data set is larger than would fit in a Modbus command. The data set then spans over multiple Modbus messages; each message contains part of the data set. "0" = No multiple message transaction or the end of the multiple message transaction. "1" = Part of a multiple message transaction. |
1 | Extended protocol control | Length of the protocol control, the value "0" indicates a length of 1 byte, the value "1" indicates a length of 2 bytes. |
2 | Counter byte option | This bit is set to "1" to indicate that the "counter byte" field is used in this message. If this bit is set to "0", the "counter byte" field does not exist in this message. |
3 and 4 | Reserved | 0 |
5 | Network ID option | Not supported, must be "0". |
6 | Encoded data option | Not supported, must be "0". |
7 | Access flag | This bit indicates the access method of the requested command. "0" = read, "1" = write. |
8 to 15 | Reserved | 0 |
The following example shows an error in the event of a faulty request. The request reads 6061h:00 with a length of 2 bytes, but the object has a size of just 1 byte:
- Request
- Response
Exception codes
In case of an error, the following exception codes may be contained in the response depending on the function code:
Code | Name | Description |
---|---|---|
01 | Illegal Function | Function code not recognized/allowed |
02 | Illegal Data Address | Register address not valid or does not exist |
03 | Illegal Data Value | Value not valid |
04 | Device Failure | Unrecoverable error |
For further details, refer to Modbus specification MODBUS APPLICATION PROTOCOL SPECIFICATION V1.1b3.