Secondary Development Protocol
Function Code Introduction
| Function Code | Description | |
|---|---|---|
| 01 | Read Coil Status | Read relay status |
| 02 | Read Discrete Input Status | Read input status |
| 03 | Read Holding Registers | Read address and version |
| 05 | Write Single Coil | Control single relay |
| 06 | Write Single Register | Set baud rate and address |
| 0F | Write Multiple Coils | Write relay status |
| 10 | Write Multiple Registers | Set multiple registers |
Register Address Description
| Address (HEX) | Address Storage Content | Register Value | Access | Modbus Function Code |
|---|---|---|---|---|
| 0x0000 ~ 0x0007 | Relay address for channel 1~8 | 0xFF00: Relay ON; 0x0000: Relay OFF; 0x5500: Relay Toggle; | Read/Write | 0x01, 0x05, 0x0F |
| 0x00FF | Operate all relays | 0xFF00: All relays ON; 0x0000: All relays OFF; 0x5500: All relays Toggle; | Write | 0x05 |
| 0x0100 ~ 0x0107 | Relay toggle address for channel 1~8 | 0xFF00: Relay Toggle; 0x0000: Relay unchanged; | Write | 0x05, 0x0F |
| 0x01FF | Operate all relays toggle | 0xFF00: All relays Toggle; 0x0000: All relays unchanged; | Write | 0x05 |
| 0x0200 ~ 0x0207 | Relay momentary ON for channel 1~8 | Delay time = data * 100 ms Value: 0x0007, Delay: 7 * 100 ms = 700 ms | Write | 0x05 |
| 0x0400 ~ 0x0407 | Relay momentary OFF for channel 1~8 | Delay time = data * 100 ms Value: 0x0007, Delay: 7 * 100 ms = 700 ms | Write | 0x05 |
| 0x10000 ~ 0x10007 | Input address for channel 1~8 | Indicates the status of input channels 1~8 | Read | 0x02 |
| 0x41000 ~ 0x41007 | Relay control mode for channel 1~8 | 0x0000 ~ 0x0003 Four control modes | Read/Write | 0x03, 0x06, 0x10 |
| 0x44000 | Device address | Stores the Modbus address directly Device address: 0x0001 | Read | 0x03 |
| 0x48000 | Software version | Convert to decimal and move the decimal point two places to the left to indicate the software version 0x0064 = 100 = V1.00 | Read | 0x03 |
Command Operation Introduction
Control a Single Relay
Transmission Code: 01 05 00 00 FF 00 8C 3A
| Field | Description | Notes |
|---|---|---|
| 01 | Device address | Fixed 0x01 |
| 05 | Command 05 | Relay control command |
| 00 00 | Address | Register address of the relay to control, 0x0000 - 0x0007 |
| FF 00 | Command | 0xFF00: Relay ON; 0x0000: Relay OFF; 0x5500: Relay Toggle; |
| 8C 3A | CRC16 | CRC16 checksum of the first 6 bytes of data |
Return Code: 01 05 00 00 FF 00 8C 3A
| Field | Description | Notes |
|---|---|---|
| 01 | Device address | Fixed 0x01 |
| 05 | Command 05 | Relay control command |
| 00 00 | Address | Register address of the relay to control, 0x0000 - 0x0007 |
| FF 00 | Command | 0xFF00: Relay ON; 0x0000: Relay OFF; 0x5500: Relay Toggle; |
| 8C 3A | CRC16 | CRC16 checksum of the first 6 bytes of data |
Example: Device with address 1:
Relay 0 on: 01 05 00 00 FF 00 8C 3A
Relay 0 off: 01 05 00 00 00 00 CD CA
Relay 1 on: 01 05 00 01 FF 00 DD FA
Relay 1 off: 01 05 00 01 00 00 9C 0A
Relay 2 on: 01 05 00 02 FF 00 2D FA
Relay 2 off: 01 05 00 02 00 00 6C 0A
Relay 3 on: 01 05 00 03 FF 00 7C 3A
Relay 3 off: 01 05 00 03 00 00 3D CA
Relay 0 toggle: 01 05 00 00 55 00 F2 9A
Relay 1 toggle: 01 05 00 01 55 00 A3 5A
Relay 2 toggle: 01 05 00 02 55 00 53 5A
Relay 3 toggle: 01 05 00 03 55 00 02 9A
Control All Relays
Transmission Code: 01 05 00 FF FF 00 BC 0A
| Field | Description | Notes |
|---|---|---|
| 01 | Device address | Fixed 0x01 |
| 05 | Command 05 | Relay control command |
| 00 FF | Address | Fixed 0x00FF |
| FF 00 | Command | 0xFF00: All relays ON; 0x0000: All relays OFF; 0x5500: All relays Toggle; |
| BC 0A | CRC16 | CRC16 checksum of the first 6 bytes of data |
Return Code: 01 05 00 FF FF 00 BC 0A
| Field | Description | Notes |
|---|---|---|
| 01 | Device address | Fixed 0x01 |
| 05 | Command 05 | Relay control command |
| 00 FF | Address | Fixed 0x00FF |
| FF 00 | Command | 0xFF00: All relays ON; 0x0000: All relays OFF; 0x5500: All relays Toggle; |
| BC 0A | CRC16 | CRC16 checksum of the first 6 bytes of data |
Example: Device with address 1:
All relays on: 01 05 00 FF FF 00 BC 0A
All relays off: 01 05 00 FF 00 00 FD FA
All relays toggle: 01 05 00 FF 55 00 C2 AA
Read Relay Status
Transmission Code: 01 01 00 00 00 08 3D CC
| Field | Description | Notes |
|---|---|---|
| 01 | Device address | Fixed 0x01 |
| 01 | Command 01 | Query relay status command |
| 00 00 | Starting address | Relay start address, 0x0000 - 0x0007 |
| 00 08 | Number of relays | Cannot exceed the maximum number of relays |
| 3D CC | CRC16 | CRC16 checksum of the first 6 bytes of data |
Return Code: 01 01 01 00 51 88
| Field | Description | Notes |
|---|---|---|
| 01 | Device address | Fixed 0x01 |
| 01 | Command 01 | Query relay status command |
| 01 | Byte count | Total number of bytes in the returned status information |
| 00 | Queried status | Returned relay status Bit0: Starting relay status; Bit1: Next relay status, and so on. High unused bits are zero |
| 51 88 | CRC16 | CRC16 checksum of the first 4 bytes of data |
Example: Device with address 1
Transmission : 01 01 00 00 00 08 3D CC //Query all relays
Return Code: 01 01 01 00 51 88 //All relays off
Transmission : 01 01 00 02 00 01 5C 0A //Query relays 2
Return Code: 01 01 01 01 90 48 //Relay 1 on
Transmission : 01 01 00 01 00 03 2D CB //Query relays 1, 2, 3 status
Return Code: 01 01 01 05 91 8B //Relays 1 and 3 are on, relay 2 is off
Write Relay Status
Transmission Code: 01 0F 00 00 00 08 01 FF BE D5
| Field | Description | Notes |
|---|---|---|
| 01 | Device address | Fixed 0x01 |
| 0F | Command 0F | Write relay status command |
| 00 00 | Relay start address | Register address of the relay to control, 0x0000 - 0x0007 |
| 00 08 | Number of relays | Number of relays to operate, cannot exceed the maximum number of relays |
| 01 | Byte count | Number of status bytes |
| FF | Relay status | Bit0: Starting relay status; Bit1: Next relay status, and so on. High unused bits are zero |
| BE D5 | CRC16 | CRC16 checksum of the first 6 bytes of data |
Return Code: 01 0F 00 00 00 08 54 0D
| Field | Description | Notes |
|---|---|---|
| 01 | Device address | Fixed 0x01 |
| 0F | Command 0F | Write relay status command |
| 00 00 | Address | Relay start address |
| 00 08 | Number of relays | Number of relays written |
| 54 0D | CRC16 | CRC16 checksum of the first 6 bytes of data |
Example: Device with address 1
All relays on: 01 0F 00 00 00 08 01 FF BE D5
All relays off: 01 0F 00 00 00 08 01 00 FE 95
0-1 on; 3-7 off: 01 0F 00 00 00 08 01 03 BE 94
Relays 1, 2, and 3 on: 01 0F 00 01 00 03 01 07 F3 55
Relay Momentary ON/OFF Command
Transmission Code: 01 05 02 00 00 07 8D B0
| Field | Description | Notes |
|---|---|---|
| 01 | Device address | Fixed 0x01 |
| 05 | Command 05 | Single control command |
| 02 | Command | 02 for momentary ON, 04 for momentary OFF |
| 00 | Relay address | Relay address to control, 0x00 ~ 0x07 |
| 00 07 | Interval time | Delay time = data * 100 ms Value: 0x0007, Delay: 7 * 100 ms = 700 ms Maximum time for momentary ON/OFF is 0x7FFF |
| 8D B0 | CRC16 | CRC16 checksum of the first 6 bytes of data |
Return Code: 01 05 02 00 00 07 8D B0
| Field | Description | Notes |
|---|---|---|
| 01 | Device address | Fixed 0x01 |
| 05 | Command 05 | Single control command |
| 02 | Command | 02 for momentary ON, 04 for momentary OFF |
| 00 | Relay address | Relay address to control, 0x00 ~ 0x07 |
| 00 07 | Interval time | Delay time = data * 100 ms Value: 0x0007, Delay: 7 * 100 ms = 700 ms Maximum time for momentary ON/OFF is 0x7FFF |
| 8D B0 | CRC16 | CRC16 checksum of the first 6 bytes of data |
Example: Device with address 1
Relay 0 Momentary ON : 01 05 02 00 00 07 8D B0 //700MS = 7*100MS = 700MS
Relay 1 Momentary ON : 01 05 02 01 00 08 9C 74 //800MS
Relay 0 Momentary OFF : 01 05 04 00 00 05 0C F9 //500MS
Relay 1 Momentary OFF : 01 05 04 01 00 06 1D 38 //600MS
Read Input Status
Transmission Code: 01 02 00 00 00 08 79 CC
| Field | Description | Notes |
|---|---|---|
| 01 | Device address | Fixed 0x01 |
| 02 | Command 02 | Read input status command |
| 00 00 | Input start address | Input start address, 0x0000 - 0x0007 |
| 00 08 | Number of registers | Number of input channels to read, cannot exceed the maximum number of input channels |
| 79 CC | CRC16 | CRC16 checksum of the first 6 bytes of data |
Return Code: 01 02 01 00 A1 88
| Field | Description | Notes |
|---|---|---|
| 01 | Device address | Fixed 0x01 |
| 02 | Command 02 | Read input status command |
| 01 | Byte count | Total number of bytes in the returned status information |
| 00 | Queried status | Returned input status Bit0: Starting input channel status; Bit1: Next input channel status, and so on. High unused bits are zero |
| A1 88 | CRC16 | CRC16 checksum of the first 4 bytes of data |
Example: Device with address 1
Transmission Code: 01 02 00 00 00 08 79 CC //Query all input channels
Return Code: 01 01 01 00 51 88 //Inputs are all untriggered
Transmission Code: 01 02 00 00 00 08 79 CC //Query all input channels
Return Code: 01 02 01 41 61 B8 //Channels 1 and 7 input is triggered, and the rest of channels are not triggered
Transmission Code: 01 02 00 01 00 03 69 CB //Query input channels 2, 3, and 4
Return Code: 01 02 01 03 E1 89 //Channels 2 and 3 input is triggered, and channel 4 is not triggered
Read Relay Control Mode
Transmission Code: 01 03 10 00 00 08 40 CC
| Field | Description | Notes |
|---|---|---|
| 01 | Device address | Fixed 0x01 |
| 03 | Command 03 | Read holding registers |
| 10 00 | Starting register address | 0x1000 - 0x1007 correspond to relay control mode for channels 1~8 |
| 00 08 | Number of registers | Number of registers to read, maximum 8 channels |
| 40 CC | CRC16 | CRC16 checksum of the first 6 bytes of data |
Return Code: 01 03 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 E4 59
| Field | Description | Notes |
|---|---|---|
| 01 | Device address | Fixed 0x01 |
| 03 | Command 03 | Read holding registers |
| 10 | Byte count | Total number of bytes in the returned status information |
| 00 00 ~ 00 00 | Control mode | Represents the control mode for relays 1 - 8. 0x0000 ~ 0x0003 indicate four control modes. 0x0000: Normal mode, relays are directly controlled by commands; 0x0001: Linkage mode, relay status follows the corresponding input channel status; 0x0002: Toggle mode, the relay status toggles once per pulse on the input channel; 0x0003: Edge trigger mode, the relay status toggles once per level change on the input channel. ⚠️ Note: Except for Linkage mode, relays in other modes can also be controlled simultaneously via commands. |
| E4 59 | CRC16 | CRC16 checksum of the first 6 bytes of data |
Example: Device with address 1
Read relay 1-8 control mode: 01 03 10 00 00 08 40 CC
Read relay 1 control mode: 01 03 10 00 00 01 80 CA
Read relay 2 control mode: 01 03 10 01 00 01 D1 0A
Read relay 3-5 control mode: 01 03 10 02 00 03 A0 CB
Set Single Relay Control Mode
Transmission Code: 01 06 10 00 00 01 4C CA
| Field | Description | Notes |
|---|---|---|
| 01 | Device address | Fixed 0x01 |
| 06 | Command 06 | Write single register command |
| 10 00 | Starting register address | 0x1000 - 0x1007 correspond to relay control mode for channels 1~8 |
| 00 01 | Control mode | Represents the control mode for relays 1 - 8. 0x0000 ~ 0x0003 indicate four control modes. 0x0000: Normal mode, relays are directly controlled by commands; 0x0001: Linkage mode, relay status follows the corresponding input channel status; 0x0002: Toggle mode, the relay status toggles once per pulse on the input channel; 0x0003: Edge trigger mode, the relay status toggles once per level change on the input channel. ⚠️ Note: Except for Linkage mode, relays in other modes can also be controlled simultaneously via commands. |
| 4C CA | CRC16 | CRC16 checksum of the first 6 bytes of data |
Return Code: 01 06 10 00 00 01 4C CA
| Field | Description | Notes |
|---|---|---|
| 01 | Device address | Fixed 0x01 |
| 06 | Command 06 | Write single register command |
| 10 00 | Starting register address | 0x1000 - 0x1007 correspond to relay control mode for channels 1~8 |
| 00 01 | Control mode | Relay control modes, 0x0000~0x0003 represent four control modes |
| 4C CA | CRC16 | CRC16 checksum of the first 6 bytes of data |
Example: Device with address 1:
Set relay 1 as Linkage mode: 01 06 10 00 00 01 4C CA
Set relay 2 as toggle mode: 01 06 10 01 00 02 5D 0B
Set Multiple Relay Control Mode
Transmission Code: 01 10 10 00 00 08 10 00 01 00 01 00 01 00 01 00 01 00 01 00 01 00 01 7C B1
| Field | Description | Notes |
|---|---|---|
| 01 | Device address | Fixed 0x01 |
| 10 | Write multiple registers | - |
| 10 00 | Starting register address | 0x1000 - 0x1007 correspond to relay control mode for channels 1~8 |
| 00 08 | Number of registers | Number of registers to set, up to 8 channels |
| 10 | Byte count | - |
| 00 01 ~ 00 01 | Control mode | Represents the control mode for relays 1 - 8. 0x0000 ~ 0x0003 indicate four control modes: 0x0000: Normal mode, relays are directly controlled by commands; 0x0001: Linkage mode, relay status follows the corresponding input channel status; 0x0002: Toggle mode, the relay status toggles once per pulse on the input channel; 0x0003: Edge trigger mode, the relay status toggles once per input state change on the input channel. ⚠️ Note: Except for Linkage mode, relays in other modes can also be controlled simultaneously via commands. |
| 7C B1 | CRC16 | CRC16 checksum of the first 6 bytes of data |
Return Code: 01 10 10 00 00 08 C5 0F
| Field | Description | Notes |
|---|---|---|
| 01 | Device address | Fixed 0x01 |
| 10 | Write multiple registers | - |
| 10 00 | Starting register address | 0x1000 - 0x1007 correspond to relay control mode for channels 1~8 |
| 00 08 | Number of registers | Number of registers to set, up to 8 channels |
| C5 0F | CRC16 | CRC16 checksum of the first 6 bytes of data |
Example: Device with address 1:
Set relays 1–8 as Normal mode: 01 10 10 00 00 08 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0B 5C
Set relays 1–8 as Linkage mode: 01 10 10 00 00 08 10 00 01 00 01 00 01 00 01 00 01 00 01 00 01 00 01 7C B1
Set relays 3–5 as toggle mode: 01 06 00 01 00 02 5D 4B
Read Software Version Command
Transmission Code: 01 03 80 00 00 01 AD CA
| Field | Description | Notes |
|---|---|---|
| 01 | Device address | Fixed 0x01 |
| 03 | Command 03 | Read holding registers |
| 80 00 | Command register | 0x8000 for reading software version |
| 00 01 | Byte Count | Fixed 0x0001 |
| AD CA | CRC16 | CRC16 checksum of the first 6 bytes of data |
Return Code: 01 03 02 00 64 B9 AF
| Field | Description | Notes |
|---|---|---|
| 01 | Device address | Fixed 0x01 |
| 03 | Command 03 | Read holding registers |
| 02 | Byte count | Returned byte count |
| 00 64 | Software Version | Convert to decimal, then shift decimal point two places left for version 0x0064 = 100 = V1.00 |
| B9 AF | CRC16 | CRC16 checksum of the first 5 bytes of data |
Example: Device with address 1:
Transmission Code: 01 03 80 00 00 01 AD CA
Return Code: 01 03 02 00 C8 B9 D2 //0x00C8 = 200 =V2.00
Exception Function Codes
If the received command is incorrect or an exception occurs, the device will return an exception response. The exception response format is as follows:
Return Code: 01 85 03 02 91
| Field | Description | Notes |
|---|---|---|
| 01 | Device Address | 0x00 indicates broadcast address; 0x01-0xFF indicate device address |
| 85 | Exception Function Code | Exception function code = Request function code + 0x80 |
| 03 | Byte Count | Exception code |
| 02 91 | CRC16 | CRC16 checksum of the first 6 bytes of data |
The exception code is a single-byte value indicating the type of error. Several common exception codes defined by the Modbus protocol:
| Exception Code | Name | Description |
|---|---|---|
| 0x01 | Illegal Function | The requested function code is not supported |
| 0x02 | Illegal Data Address | The requested data address is incorrect |
| 0x03 | Illegal Data Value | The requested data value or operation cannot be performed |
| 0x04 | Server Failure | Server device failure |
| 0x05 | Acknowledge | Request received and processing |
| 0x06 | Device Busy | Device is busy and cannot execute the requested operation |
Modbus TCP Command Introduction
Here is a brief introduction to Modbus TCP and Modbus RTU protocol conversion using the above commands to open the first relay as an example.
Modbus RTU command: 01 05 00 00 FF 00 8C 3A
| Field | Description | Notes |
|---|---|---|
| 01 | Device address | Fixed 0x01 |
| 05 | Command 05 | Relay control command |
| 00 00 | Address | Register address of the relay to control, 0x00, i.e., the first relay |
| FF 00 | Command | 0xFF00: Relay ON |
| 8C 3A | CRC16 | CRC16 checksum of the first 6 bytes of data |
Modbus TCP command: 00 00 00 00 00 06 01 05 00 00 FF 00
| Field | Description | Notes |
|---|---|---|
| 00 00 | Message identifier | Can be 0x00 |
| 00 00 | Modbus identifier | Must be 0, indicating Modbus communication |
| 00 06 | Byte length | Indicates the total number of subsequent bytes; 6 bytes follow |
| 01 | Device address | Fixed 0x01 |
| 05 | Command 05 | Relay control command |
| 00 00 | Address | Register address of the relay to control, 0x00, i.e., the first relay |
| FF 00 | Command | 0xFF00: Relay ON |
By comparing the commands above, it can be seen that removing the CRC checksum from the Modbus RTU command and prefixing it with five 0x00 and one byte length converts it to the Modbus TCP protocol.
For example, if the server network port receives the Modbus TCP command 00 00 00 00 00 06 01 05 00 00 FF 00 (turn on the first relay), the master controller will receive the Modbus RTU command 01 05 00 00 FF 00 8C 3A.