Quick answer: A Modbus register map tells you which addresses exist, which function code to use, whether the value is read-only or writable, and how to scale the raw number into engineering units. If the map is wrong, everything built on top of it is wrong.
What a register map actually contains
A proper register map is more than a list of numbers. It should tell you:
- The register type: coil, discrete input, input register, or holding register.
- The address as shown in the documentation.
- The on-wire address or offset if the vendor provides it.
- The function code to use.
- The data type and length.
- Scaling, units, and any offsets.
- Whether the point is read-only or writable.
When those fields are missing, engineers start guessing. Guessing leads to mismatched addresses, exception responses, and dashboards that look fine but show the wrong values.
Register types and the notation problem
Modbus uses four logical data areas. The prefix in the human-readable notation tells you the category, not the raw address on the wire.
| Type | Common label | Typical function code | Writable? |
|---|---|---|---|
| Coil | 0xxxx | FC01 / FC05 / FC15 | Usually yes |
| Discrete input | 1xxxx | FC02 | No |
| Input register | 3xxxx | FC04 | No |
| Holding register | 4xxxx | FC03 / FC06 / FC16 | Usually yes |
The common trap is to assume that 40001 means the number you send to the device. It does not. It usually means the first holding register in the vendor's display notation. Many tools convert this to PDU address 0 before sending the request.
Example: how to read a simple map
Suppose a meter manual lists these items:
| Point | Register | Type | Scale | Meaning |
|---|---|---|---|---|
| Voltage L1 | 40001 | UINT16 | 0.1 | 230.5 V |
| Current L1 | 40002 | UINT16 | 0.01 | 12.34 A |
| Total kWh | 40010-40011 | FLOAT32 | 1 | 1,248.6 kWh |
On the wire, your master may send address 0 for 40001, address 1 for 40002, and address 9 for the first register of the 32-bit float pair. If your software asks for 40010 literally, but the library expects zero-based offsets, the request will point at the wrong place.
How to avoid the off-by-one problem
The safest habit is to ask one question for every register map: does this tool want display notation or PDU notation?
If the tool says “Holding Register 40001” and you enter 40001, you may already be wrong. If it says “Address” and the examples start at 0, it likely wants the PDU offset. If the tool asks for “Register number” and starts with 1, it may want the human-facing label. Always test a known value first.
Practical test: Put a known value in the simulator at one address, read it with your master, and confirm the exact wire address in the log. If you get the right number at the wrong displayed register, the map translation is wrong.
32-bit values, word order, and byte order
Many register maps use two 16-bit registers for one 32-bit value. That creates two separate sources of confusion:
- Word order: which register comes first.
- Byte order: how the two bytes inside each register are arranged.
Four common layouts appear in the field: ABCD, BADC, CDAB, and DCBA. If your float looks absurd, the register number may be correct and the word order may be wrong.
Example workflow for a float
- Read the raw two-register pair.
- Check the manual for word order notes.
- Try the vendor's recommended order first.
- If the result is nonsense, swap the words before changing the address.
Common register map mistakes
- Using 40001 directly in a library that expects 0.
- Reading an input register with FC03 instead of FC04.
- Trying to write to read-only data.
- Ignoring scale factors and reading raw values as engineering units.
- Assuming every 32-bit value uses the same word order.
- Assuming the same vendor uses the same map across all device models.
These mistakes are common because the map is often the only source of truth. If the map is ambiguous, the HMI or PLC code inherits that ambiguity.
How to test a register map before installation
Before the real PLC, meter, or drive shows up, load the map into ModbusSimulator and test the master software against it. That lets you verify:
- Address translation from your SCADA or PLC.
- Write permissions on holding registers and coils.
- Scaling for analog values.
- Word order for 32-bit values.
- Alarm thresholds and HMI tag bindings.
If the master works perfectly against the simulator but not the field device, the problem is in the real device, wiring, or vendor-specific map notes. If it fails in the simulator too, the problem is in your interpretation of the map.
Mini checklist for reading any Modbus register map
- Confirm the register type first.
- Confirm whether the address is zero-based or display-based.
- Check the required function code.
- Check whether the point is read-only or writable.
- Check the scale factor and units.
- Check the word order for multi-register values.
- Test a known value in software before using real hardware.
Related Guides
Modbus Function Codes Explained Modbus Register Types: Coils, Inputs & Holding Registers Modbus Slave Not Responding — 8 Causes and Fixes How to Simulate a Modbus Slave Without a PLCTest the map before the PLC arrives
Load your register table into ModbusSimulator, bind the tags, and verify every address, type, and scale value before the real device is installed.
Download ModbusSimulatorFrequently Asked Questions
Do all Modbus devices use 40001-style register numbers?
No. Many manuals use 40001 notation because it is familiar to engineers, but some tools and APIs use zero-based offsets only. Always check the vendor's documentation and the software's input format before entering the address.
Can I write to input registers?
No. Input registers are read-only by definition. If you try to write to them, the device usually rejects the request with an exception code or silently ignores it.
Why do some manuals say register 1 and others say register 0?
That difference comes from notation style. Some vendors number the first visible register as 1 for humans, while the protocol payload uses 0. The key is consistency within the same toolchain.
How do I find the correct address for a float?
Look for the starting register and the data type. A float usually spans two registers, so the starting address is the first of the pair. Then confirm the word order and byte order before reading the value.
What if the value is correct but the units are wrong?
That usually means the scale factor is being ignored. A raw value of 2305 may actually mean 230.5 V if the map says multiply by 0.1.
Can ModbusSimulator help me with register map debugging?
Yes. It lets you place known values at specific addresses, mirror the vendor's map, and validate the master side before any hardware is connected. That is the fastest way to isolate whether the mapping or the device is at fault.