Modbus Register Addressing: Modicon, PDU, and Page-Based Conventions

Complete guide to Modbus addressing conventions — Modicon 5-digit notation, PDU 0-based addressing, page-based schemes, and how to resolve the off-by-one errors that cause most integration failures.

Last updated Mar 12, 2026 · 8 min read · ⚠ Review pending

Categories:
Modbus
Tags:
modbusreferenceprotocoltroubleshooting

Overview

Modbus register addressing is the single most common cause of integration failures. Chipkin’s support data across 437+ FSE projects shows that off-by-one addressing errors cause approximately 50% of all Modbus exception responses — specifically, exception code 02 (Illegal Data Address).

The root cause is that three different addressing conventions coexist in the industry, and device manufacturers use them interchangeably without always documenting which one they follow. This guide explains each convention, how to identify which one a device uses, and how to convert between them.

Modbus Addressing Conventions Compared

The Three Addressing Conventions

1. Modicon Convention (5-Digit / 6-Digit)

The original Modicon PLC numbering system from the 1970s. This is the most widely used convention in device documentation but is not what appears on the wire.

PrefixData TypeModicon RangePDU Address RangeFunction Code
0xxxxCoils (read/write bits)00001 – 099990x0000 – 0x270EFC01, FC05, FC15
1xxxxDiscrete Inputs (read-only bits)10001 – 199990x0000 – 0x270EFC02
3xxxxInput Registers (read-only 16-bit)30001 – 399990x0000 – 0x270EFC04
4xxxxHolding Registers (read/write 16-bit)40001 – 499990x0000 – 0x270EFC03, FC06, FC16

Key rule: The leading digit identifies the data type, and the remaining digits are 1-based. Modicon register 40001 maps to PDU address 0x0000.

6-Digit Extended Notation

For devices with more than 9,999 registers per type, the 6-digit notation extends the range:

PrefixData Type6-Digit RangePDU Address Range
0xxxxxCoils000001 – 0655360x0000 – 0xFFFF
1xxxxxDiscrete Inputs100001 – 1655360x0000 – 0xFFFF
3xxxxxInput Registers300001 – 3655360x0000 – 0xFFFF
4xxxxxHolding Registers400001 – 4655360x0000 – 0xFFFF

2. PDU Convention (0-Based)

This is the actual address that appears in the Modbus protocol data unit (PDU) — the raw bytes on the wire. All Modbus frames use PDU addressing internally.

PDU AddressSizeNotes
0x00000xFFFF16-bitZero-based, no type prefix

The function code in the frame determines the data type — not the address. PDU address 0x0000 with FC03 reads holding register 0, while PDU address 0x0000 with FC04 reads input register 0.

3. Page-Based / Vendor-Specific Conventions

Some manufacturers define their own addressing schemes, often using “pages” or “groups”:

ConventionExampleHow It Works
Page-basedPage 1, Register 0 → PDU 0x0100Address = (page × page_size) + register_offset
Block-basedBlock A, Word 5 → PDU 0x0005Each block maps to a function code or address range
Offset from baseBase 1000 + offset 5 → PDU 0x03EDCommon in older SCADA systems
Hexadecimal onlyRegister 0x1F4Used by manufacturers who document in hex without Modicon notation

[!CAUTION] Page-based addressing is manufacturer-specific. There is no standard formula. Always refer to the device’s Modbus register map documentation and test with a diagnostic tool before building a gateway configuration.

The Off-By-One Problem

The most common Modbus addressing error is a one-register offset. It happens when the documentation and the gateway use different conventions:

Example: Reading Holding Register 40001

Convention Used ByAddress Sent on WireResult
Documentation says 40001, gateway uses Modicon (correct)PDU 0x0000✅ Correct register
Documentation says 40001, gateway uses PDU directlyPDU 0x9C41 (decimal 40001)❌ Way outside valid range
Documentation says 40001, gateway strips prefix but uses 1-basedPDU 0x0001❌ Off by one — reads register 40002 instead
Documentation says 40001, gateway strips prefix and uses 0-basedPDU 0x0000✅ Correct register

[!TIP] When you see a register listed as 40001 in a Modbus table, the device almost always means Modicon notation:

  • Strip the leading 4 → address 0001
  • Subtract 1 → PDU address 0x0000

If the gateway has a “Modicon” or “1-based” addressing option, use it and enter 40001 directly.

How to Identify the Convention

Step 1: Read the Documentation Header

Look for clues in the register map documentation:

Documentation StyleLikely ConventionExample
5-digit numbers starting with 3 or 4Modicon (1-based)40001, 30001
6-digit numbers starting with 3 or 4Modicon extended (1-based)400001, 300001
Small numbers (0–999) without prefixPDU (0-based)0, 100, 500
Hex addressesPDU (0-based)0x0000, 0x1F4
”Page” or “Group” referencesVendor-specificPage 1, Reg 0

Step 2: Test with a Known Register

  1. Find a read-only status register with a predictable value (e.g., model number, firmware version, or a temperature reading you can verify)
  2. Read it using the address from the documentation
  3. If you get exception code 02, try address ±1
  4. If the value looks wrong (shifted), the register map may use a different byte order — see Modbus Data Types & Byte Order Reference

Step 3: Verify with Multiple Registers

Once you find the correct offset for one register, read a contiguous block and verify that all values make sense. If register N is correct but register N+1 doesn’t match the expected data type, you may have a non-contiguous register map.

Common Gateway Address Configuration

QuickServer Configuration

When configuring a QuickServer:

Gateway SettingWhen to Use
”Offset=0” or “Zero-based”Documentation uses PDU addresses (small numbers, no prefix)
“Offset=1” or “One-based”Documentation uses Modicon addresses (40001, 30001)
“Modicon”Gateway automatically strips prefix and adjusts offset

CAS Modbus Scanner

The CAS Modbus Scanner allows testing both conventions directly:

  1. Set the start address to the documented value
  2. Set addressing mode to Modicon or PDU
  3. Read the register and verify the returned value
  4. If exception 02, switch conventions and retry

Conversion Reference Table

Modicon 5-DigitModicon 6-DigitPDU Address (Hex)PDU Address (Dec)Function Code
000010000010x00000FC01/05/15
001000001000x006399FC01/05/15
100011000010x00000FC02
101001001000x006399FC02
300013000010x00000FC04
301003001000x006399FC04
400014000010x00000FC03/06/16
401004001000x006399FC03/06/16
410004010000x03E7999FC03/06/16
499994099990x270E9998FC03/06/16
4100000x270F9999FC03/06/16
4655360xFFFF65535FC03/06/16

[!TIP] Quick conversion formula: PDU Address = Modicon Address − (Prefix × 10000) − 1 Example: 4010040100 − 40000 − 1 = 99 → PDU 0x0063

Register Count Limits

Each function code has a maximum number of registers that can be read or written in a single request:

Function CodeOperationMax CountMax Bytes
FC01 / FC02Read coils / discrete inputs2000 bits250 bytes
FC03 / FC04Read holding / input registers125 registers250 bytes
FC05Write single coil1 bit
FC06Write single register1 register
FC15Write multiple coils1968 bits246 bytes
FC16Write multiple registers123 registers246 bytes

[!NOTE] Requesting more registers than the device supports in a single read causes exception code 02 or 03. If you need to read a large register range, split it into multiple requests of 100 registers or fewer — some devices support fewer than the protocol maximum.

Chipkin Tools

Top

Related content

Modbus Data Types & Byte Order Reference

How to handle 32-bit floats, byte order (endianness), multi-register values, and scaling factors in Modbus integrations. Includes a device byte-order lookup table.

Explore further

Tags

modbusreferenceprotocoltroubleshooting

Protocol references

Modbus

Need more help?

If this page does not resolve the issue, contact Chipkin support with the product model, protocol details, and any diagnostics you have already captured.

Open Chipkin Support