Had to dig around my old things to find this,
but here's an example of a payload I injected a while ago into a dosing pump made by Jebao that had a bug where it'd fail to properly load settings after power cycling.
This payload was used mainly to debug the problem itself, and once I figured out what was going on, I was able to develop a patch for it to permanently fix their own bug, which eventually required just a small modification of 2 function calls (marked in red is the actual patch, the code around it is what applies it to the firmware).
It took me about a week (in free time) from start to finish to tinker with and figure it out, however - I had the device on hand, had rich familiarity with its architecture instruction set and their firmware used some open source software that I was able to recognize and thus did not have to fully reverse engineer, which made this process easier for me.
The KHG from the quick glance I had in its firmware, is based on an architecture I have less experience with, and I also have no physical device to facilitate a proper debugging environment to work with.
Having a device on hand (preferably a locked one) would be the biggest road block here IMO.
Anyway - my point is that it is possible and practical to achieve, it'll be fun to work on, useful for many and most importantly - show prove companies that these practices are wrong and will get bypassed.