It looks like the password address on modbus is 1F00, and the VFD returns 8888 if you supply it the correct one.
It’s likely at address 01
Modbus write single register command is 06
So a brute force command sequence that looks something like this might work:
Header - VFD address/command/data address
01
06
1F
00
— 0000 through FFFF ----
CRC01
CRC02
Would probably get you there. Send new passwords until you get an 8888 data response.
If 01 isn’t correct, cycle through addresses until you get it.
Shouldn’t take more than 5 minutes of communication time.