Where to find the token robot vacuum cleaner Xiaomi on the iPhone: detailed instructions

Owners of the smart home ecosystem often face the need to integrate Xiaomi devices into third-party platforms such as Home Assistant, Homebridge or Yandex.Smart Home, bypassing standard restrictions. To successfully pair a gadget with alternative control systems, it is critical to know a unique security identifier called a token. On Android devices, this process is relatively simple due to the presence of root rights or the ability to intercept traffic, but iPhone users face the closed iOS operating system, which creates certain difficulties in extracting key data.

The token is a 32-character string in hexadecimal format that serves as a digital key to authorize the commands sent to your robot vacuum cleaner. Without this key, local device management is impossible, because the miIO protocol requires encryption of all requests. In this article, we will discuss in detail all available methods for obtaining this information directly from an Apple device, consider the nuances of the Mi Home application and suggest alternative ways to solve the problem.

It should be noted that standard iOS tools, without the involvement of additional hardware or specialized software, to get the token directly from the Mi Home application. Apple's security policy strictly regulates the access of applications to the network data and the file system of other programs. Therefore, finding a token on an iPhone will always involve the use of either third-party traffic sniffers or already saved iCloud backups, if they were created earlier.

⚠️ Note: The process of obtaining a token may require a temporary disconnection of the device from the Internet or the use of specialized software. Make sure that your robot vacuum cleaner and iPhone are on the same Wi-Fi network before starting the procedure.

What is a token and why it is needed by the owner of the iPhone

The access token is a unique secret key that is generated by the Xiaomi server when the device is linked to the user's account, and is necessary to establish a secure connection between the control device (in this case, the iPhone) and the executor (the robot vacuum cleaner). Unlike a Wi-Fi password or Mi Account, the token is not stored in the open form in the application interface, which is a measure of protection against unauthorized access by attackers to your home network.

The main reason iOS users are looking for this key is to expand the functionality of the smart home. The standard Mi Home app limits use cases to products of the Xiaomi ecosystem. Integration with the Home Assistant, creating complex automations through Node-RED or connecting to voice assistants like Siri (via HomeKit without bridges) requires direct access to the device’s API, and this is where a token comes on the scene that allows you to send direct commands such as “start cleaning”, “get back on base” or “limit suction power”.

It's important to understand the difference between a device token and an account token, and we're interested in Device Token, which is unique to each gadget, and if you have multiple robot vacuum cleaners installed in your home, like the Xiaomi Vacuum Mop 2 Pro and the older Roborock S5, each one will have its own key, and trying to use a token from one device to control another will lead to an authorization error.

  • 🔑 The token is required for local device management without accessing cloud servers in China or Europe.
  • 🏠 Key allows you to integrate the vacuum cleaner into a single system of smart home Apple HomeKit or Google Home.
  • 🛡️ Without a token, it is impossible to use advanced features such as installing cleaning zones through third-party interfaces.

iPhone users are often less advantageous than Android owners, as iOS does not allow apps to scan the local network for Xiaomi devices as freely. However, there are proven methods to circumvent these restrictions, which we will discuss later.

Preparing iPhone and Network to Receive a Token

The first and most important step is to make sure that your iPhone and robot vacuum cleaner are connected to the same Wi-Fi network. If you have a router that supports 2.4 GHz and 5 GHz frequency separation, make sure that both devices are in the 2.4 GHz segment, since most Xiaomi vacuum cleaner models do not support 5 GHz frequency.

The second stage of preparation is to install the necessary applications. You will need an official Mi Home app (or Roborock if your vacuum cleaner is linked to this brand), which must already be configured. In addition, you will need a specialized traffic sniffer to intercept data on iOS. The most popular and functional solution at the moment is the application. HTTP Catcher or its analogues available in the App Store. These programs create locally available applications. VPN-a profile through which all traffic of the device is passed, allowing analysis of data packets.

⚠️ Warning: Installing apps to intercept traffic requires trust in the developer.Use only proven tools from the official App Store to avoid leaking personal information about your Mi Account.

It is also recommended to free up space in the iPhone memory, as the logging process can create temporary files. Before starting the procedure, close all background applications except Mi Home and sniffer. This will help avoid conflicts and connection breaks at a critical moment. Make sure that the phone is on Wi-Fi, but turned off mobile Internet (LTE/5G) at the time of setting up, so that all traffic is guaranteed to go through the Wi-Fi interface.

☑️ Preparation for obtaining a token

Done: 0 / 4

Method of intercepting traffic via HTTP Catcher on iOS

The most reliable way to get a token on an iPhone without using a computer is to intercept network traffic when the application interacts with the device. To do this, we will use the HTTP Catcher application. After installing the program, launch it and press the "Start" (or "Capture") button to activate the local VPN. The system will ask for permission to add a VPN configuration - confirm the action by entering the screen unlock password or FaceID.

Once you activate the sniffer, open the Mi Home app. You need to do any action with the robot vacuum cleaner that sends a command to the server. The best thing to do is to switch the cleaning modes, start or stop the device. For example, click the Start button, then immediately Stop. At this point, the application sends a packet of data containing the encrypted token. Go back to the sniffer app and stop recording traffic.

Now the analysis process begins, and in the list of captured queries (usually time-sorted) you need to find a domain that contains the word miot or xiaomi. /app/v2/ha/device/get_hardware_info or a similar path related to obtaining device status. Click on this request, go to the "Response" section and select the display format "Text" or "JSON".

In the answer text, you need to find a line containing the word token. It will look like a long sequence of numbers and letters (for example, 6f12a3b4c5d6e7f8g9h0i1j2k3l4m5n6). Copy this combination. This is your desired key. If there is no token in the answer, try to perform another action in the Mi Home application or restart the snifer and repeat the procedure.

💡

If you see a lot of encrypted data in HTTP Catcher, try filtering queries by the keyword “status” or “props”, as this is where the token is most often transmitted when the device is updated.

Using iCloud backups to extract the key

An alternative method that may seem complicated, but often proves more effective if the traffic interception fails to produce results, is to analyze the backup of iCloud.The Mi Home app stores device tokens in local storage, which goes into the backup. However, you can not read this copy directly on the iPhone - you will need a computer (Mac or Windows) and specialized software.

The method is to make a fresh backup of your iPhone to iCloud, then restore it to your computer using an extractor program (e.g., iMazing, iBackup Viewer or free GitHub analogues such as iphone-backup-extractor). In the backup file system, you need to find a folder corresponding to the Mi Home application (usually Bundle ID com.xiaomi.mihome). Inside the Library or Caches folder, a miio.db file or a configuration text file where tokens can be stored in an open form or simply in an encrypted form.

This method requires a computer, but it's completely safe for the vacuum cleaner itself, because it doesn't require active network intervention in real time. If you're using a Mac, you can use sqlite3 to open an application database if it's not protected by additional encryption. Often, the tokens are in a Device or Auth spreadsheet.

MethodEquipment requiredDifficultyEfficiency
HTTP CatcheriPhones only.MediumTall.
iCloud BackupiPhone + PC/MacTall.Medium
Xiaomi routerXiaomi routerLow.100% (if you have a router)
What to do if the token in the database is encrypted?
In some versions of iOS and Mi Home, tokens can be encrypted with a key tied to the device, in which case the backup method will not work without jailbreaking.

Special case: Xiaomi routers and automation

There is one scenario that makes life much easier for Xiaomi ecosystem owners: If you use a Xiaomi model as your main router (for example, Mi Router 3G, Mi Router 4A or newer models with OpenWrt firmware), the process of obtaining a token becomes trivial.

To access this function, you must log into the router’s web interface (usually at the address). 192.168.31.1) and go to the section related to the smart home or plugins. /cgi-bin/luci/;stok=Your stock./xqsystem/xqtoken (The path can vary depending on the firmware version. This page shows a table of all devices from their respective devices. MAC-address, ID And most importantly, tokens.

This is the easiest method, but it's only available to a small group of users who have invested in the Chinese giant's network equipment. If you have a router from Keenetic, TP-Link or Asus, this will not work, and you will have to use the methods described above.

  • 📡 Xiaomi routers automatically collect tokens when connecting devices.
  • 🔐 Access to tokens is carried out through the router’s web interface.
  • 💻 The method does not require the installation of additional software on the iPhone.

Common mistakes and ways to solve them

Users often face a number of problems in the process of searching for a token, and one of the most common is the "Token not found" error in the sniffer, which occurs when the Mi Home app uses cached data and does not send a new request to the server. Solution: Close the Mi Home app completely before starting the sniffer, turn on the sniffer entry, open Mi Home, and immediately perform the action with the vacuum cleaner.

Another problem is changing the region in the application. The token is tied to the region server that you select in your account settings. If you change region from Russia to China or vice versa, the old token will stop working and the device will need to be re-associated in the application to generate a new key. Always check if the region in the application and in the integration settings where you type the token.

Also worth mentioning is the issue with iOS versions. 16/17 Apple has increased its protection VPN-Some sniffers may not work well, so try to delete the profile. VPN in the iPhone settings (Principal) → VPN and control the device) and create it again through the sniffer application.

⚠️ Note: The token may change after the device is reset to factory settings or after rebinding in the application. If the integration stops working, you may have to repeat the procedure for obtaining the token again.

💡

The success of getting a token on an iPhone depends on the correct time to turn on the sniffer and perform an active action in the Mi Home app at the time of packet capture.

Security and storage of the token

Once you get a token, many users forget about its value. In fact, you have full control of the device. Anyone who has this key and has access to your local network can operate a vacuum cleaner. So storing the token must be secure. Don't send it to messengers, don't store it in notes with access over the network, and don't put screenshots of the token in public.

It is best to write a token to a password manager (e.g. iCloud Keychain, 1Password or KeePass) or save it to an encrypted text file. When you enter a token in Home Assistant or other systems, use a copypast to avoid character errors. A mistake in even one sign will make the key unworkable.

Remember, the token doesn't give you access to your Mi Cloud account, photos or other devices without knowing your account password. It only controls a particular device. However, with access to a smart home device, an attacker could theoretically try to attack other gadgets on the local network if they have vulnerabilities.

Can I use a token for multiple phones?
Yes, the token is tied to the device, not the phone. You can use the same token to integrate the vacuum cleaner into the Home Assistant on the Raspberry Pi, into the Homebridge on the Mac, and any other app at the same time. There are no limits on the number of customers.
What to do if the Mi Home app is updated and the token is missing?
Applications rarely change the way a token is stored, but they can change the query structure. If the old sniffer method has stopped working, try searching the Internet for the current "User-Agent" for the new version of the application and substituting it in the sniffer settings, or use the backup method.
Will the token work if you change the region in the app?
No. The token only works within the server (region) where the device was linked, changing the region in the application settings will require re-authorization and, as a result, generation of a new token, the old key will become invalid.
Do I need the Internet to work with a token?
No, one of the main advantages of using the token is the ability to locally manage, and if you set up integration (for example, in Home Assistant), you can control the vacuum cleaner even when the Internet is off while your control server and vacuum cleaner are on the same network.