My first pass at this would be to put something like Charles between the wifi AP and the internet and taken a look at what was going on. After understanding the protocol, then would it be a lot easier to look for an OTA FW exploit or mitm attacks around the string manipulation functions used to communicate to the outside.