Well the mathematical or formulaic "whitebox" strategy does seem like a total deadend here. 10 rounds through the AES substitutionpermutation network (well I suppose 8 + the first and last which are slightly different) and even with a linear sbox, its pretty much hard to mathematically deduce anything.
From the "blackbox" way you mentioned. Well first we know the high bit of each byte is 0, giving 16 bits of 128. But 2^112 is still way too big and even playing with ascii character ranges does not get us within brute force range. So my guess here is quite obvious: linear cryptanalysis. Obviously differential is useless here as you did not give us two or more inputoutput pairs. But the linear sboxes should cause a linear bias: Statistical bias in the output bits based on the key bits. It should theoretically get this within range for a practical attack. Is this the right direction?
