Integrating smart machines into a single ecosystem often requires hidden access parameters, and the device token is the most important of them. Without this unique key, you canβt fully interact with a robot vacuum cleaner through third-party applications or a local network. Many users face difficulties precisely at the stage when standard Mi Home features become insufficient.
Modern models like the Xiaomi Vacuum Mop 2 Pro or Roborock S7 use secure communication protocols that require authorization. The token is a long string of 32 hexadecimal characters that is generated when a gadget is linked to an account. In this article, we will discuss in detail all available methods for extracting this key, from simple scripts to complex manipulation of network traffic.
It is important to understand that the procedure for obtaining a token can vary depending on the version of the operating system of your smartphone and the region of the account registration. Some methods require root rights or use of a computer, while others are available directly from a mobile device.
Why do we need a token and where do we use it?
The tokenβs main function is to provide a secure connection between the control device and the vacuum cleaner itself. When you use the official Mi Home app, it hides the process from the user by automatically substituting the keys in the background. However, in advanced automation scenarios, direct access becomes a necessity.
Most often, the token is required to integrate a smart home into systems such as Home Assistant, OpenHAB or Domoticz. These platforms allow you to create complex scenarios that are not available in standard software, for example, to start cleaning when all residents leave the house or send notifications to Telegram when the filter clogs.
There are several popular libraries and plugins that donβt work without this option, such as miio integration for Node.js or components for Home Assistant that require input. IP-Without them, the robot will remain isolated in the closed perimeter of the manufacturer's ecosystem.
- π Local device management without the delays typical of cloud servers.
- π Integration into third-party smart home systems to create cross-platform scenarios.
- π Collecting advanced statistics and logging all robot actions for analysis.
- π Installation of alternative firmware or modified software.
β οΈ Note: Transferring the token to third parties is tantamount to transferring a password from your account.The token owner gets full control of the device, including the ability to view room maps and cleaning history.
The method of obtaining through Mi Home (Android)
The most common way to extract an access key involves using a modified version of the official application or special plugins. The standard version of Mi Home, available on Google Play, does not display the tokens of connected devices in plain view for security reasons. Therefore, installation APK-file with advanced functions or use of a plugin to export data.
The process is as follows: after installing the modified application, you must log in to your account. The profile menu or plugin settings usually have an "Export tokens" or "Show token" button. When you click, the system will display a list of all associated devices with their unique identifiers. If you use the method with the plugin, then after activating it, a new menu item will appear in the Mi Home settings.
It is worth noting that on newer versions of Android (11 and above), the system can block the installation of applications from unknown sources or restrict their access to the file system, in which case special permissions may be required through ADB or the use of an emulator.
β οΈ Note: Using modified versions of applications carries security risks. APK-files only from trusted repositories, such as GitHub, official plugin developers.
Using Python-script miio
For users who prefer command-line work and have basic programming skills, the python-miio utility is a great solution. This cross-platform tool allows not only to receive a token, but also to control the device directly from the terminal.
To start, you need to install Python and the library itself through the pip package manager. The installation command looks standard: pip install python-miio. After installation, you will need to run a special script that will request your credentials (login and password from Mi Account).
It is important to note that when using this method, your credentials are entered into a console script. Although the code is open and can be verified, for especially paranoid users, there is an alternative using a temporary password or authorization token obtained through the web interface, and the method requires a stable connection to the Internet at the time of execution of the script.
miio token --username "your login" --password "your password"The result of the execution of the command will be a list of devices with their IP-This data can be stored in a text file for further use in the configuration files of other programs. If two-factor authentication is enabled, the script will request the confirmation code that came to the phone.
Receiving a token through a traffic sniffer (PC)
The most versatile but technically sophisticated method involves intercepting network traffic between a smartphone and Xiaomi servers, which would require a computer, a smartphone (Android or iOS) connected to a single Wi-Fi network, and installed sniffer software such as Wireshark or mitmproxy.
The first step is to install a root certificate (CA) on your smartphone to be able to decrypt HTTPS traffic, without which you will see only an encrypted data stream. Once you set up a proxy on your phone and start recording packets on your computer, open the Mi Home app and perform an action with the robot, such as starting a cleanup. The logs will see a request containing a token in the open form.
This method is difficult for beginners, as it requires setting up network parameters and understanding the principles of network protocols, but it does not require installing dubious software on the main smartphone and works even with the latest versions of iOS, where access to the file system is closed. The token is usually in the JSON-server response in the result or token field.
- π‘ Install Wireshark or mitmproxy on your computer and find out IP-address.
- π± Set up a Wi-Fi proxy on your smartphone by specifying IP port.
- π Import and install a trusted certificate SSL mobile.
- βΆοΈ Start capturing traffic, perform an action in the application and stop recording.
β οΈ Note: When using traffic sniffers on corporate or public Wi-Fi networks, your actions may be considered an attack by the security system.
Comparison of key extraction methods
The choice of the specific method depends on your technical training, the type of smartphone used and the purposes for which the token is needed. Each method has its advantages and disadvantages, which are worth weighing before starting the procedure. Below is a comparison table to help determine the best option.
For ordinary users who just want to connect the robot to Home Assistant, the easiest way to do this is to use the Mi Home plugin on Android. APK-file, sniffer or Python script. Root-righted device owners can extract the token directly from the application's system files.
| Method | Difficulty | I need a Root. | I need a PC. | Security |
|---|---|---|---|---|
| Plugin Mi Home | Low. | No. | No. | Medium |
| Python miio | Medium | No. | Yes. | Tall. |
| Traffic sniffer | Tall. | No. | Yes. | Tall. |
| Root access (SQLite) | Medium | Yes. | No. | Tall. |
π‘
If you changed the password from Mi Account, the old tokens received earlier may stop working, in which case the procedure for obtaining the token should be repeated again.
Frequent errors and problems in obtaining
Users often face a number of common problems in the process of extracting a token, one of the most common being an authorization error when using scripts, which may be due to your account being registered in a region whose servers are temporarily unavailable to third-party utilities, or two-factor authentication is enabled, which the script cannot process automatically.
Another common problem is that you can't connect to a robot after you receive a token, and that's often because you've changed. IP-The device's address is on the local network. Robot vacuum cleaners usually get the address at DHCP, And once you reboot the router, it can change. IP-address behind the device in the router settings or use static IP.
There are also cases where the Mi Home application is forced to update and the plugins stop working, in which it helps to find a specific version of the APK that is compatible with the existing plugin, or wait for the plugin to update by the developers.
βοΈ Checklist before the procedure
Security and storage of the token
Once a token is successfully obtained, it is critical to keep it safe, and this key is the actual administrator password for your device, and if it falls into the hands of intruders, they will not only be able to manage the cleaning, but, in theory, use a microphone (if it is in the model) or a surveillance camera, and integrate the robot into the botnet.
Store the token encrypted, especially if you use it in configuration files that can be made public (for example, when you upload configs to GitHub). Many smart home systems allow you to use environment variables or special secret storage files, which is much safer than storing it in plain text.
In case of suspected token compromise, the only effective way to protect is to completely reset the robot vacuum cleaner to the factory settings and change the password of the Mi Account. After that, all previously issued tokens will become invalid, and the procedure will have to go through again with new keys.
- π Never publish tokens in open sources, support chats or forums.
- πΎ Back up token files to external media or to an encrypted cloud.
- π Change passwords from smart home accounts regularly.
π‘
A token is the key to your smart home.Take it as seriously as an online banking password.