Xiaomi vacuum cleaner token is a unique digital key that is required to integrate the robot with applications like Home Assistant, IoBroker or Node-RED. Without it, third-party platforms will not be able to control the device, even if it is successfully connected to the Mi Home. The problem is that Xiaomi periodically changes the rules for issuing tokens, and in new models (for example, Xiaomi Robot Vacuum S10 or DreameBot L10s Ultra) they are completely hidden from users.
In this article, we will analyze all the current ways to obtain a token - from standard viewing in Mi Home to bypassing restrictions through the use of a token. MITM-We'll focus on the new models from 2023 to 2026, where the token may not be in the usual places. If you've tried to find the key through the application and you haven't found it, don't close the page: there will be some non-obvious solutions.
1.Where to look for a token in the official Mi Home app
The easiest way to view the token is to view it directly in the Mi Home, but since 2022 Xiaomi has been hiding this information for new devices, and yet for older models (until 2021), the method still works.
Instructions for Android:
- π± Open Mi Home and go to the Profile tab β Settings β General settings.
- π Scroll down to About and tap it 5 times in a row (the developerβs hidden menu will open).
- π Select your vacuum cleaner in the list of devices β the token will appear in 64 characters (letters and numbers) format).
The iOS algorithm is similar, but instead of 5 clicks, 10 may be required. If there is no token, then your model uses a new authorization protocol (see Section 3).
β οΈ Note: In the latest versions of Mi Home (7.0+) vacuum-token Xiaomi/Dreame They may not be available even after the developer mode is activated, and this is due to the transition to enhanced authentication via Mi Cloud.
2. How to get a token through Mi Cloud Tokens Extractor
If the token is not displayed in Mi Home, use Mi Cloud Tokens Extractor utility.It extracts keys from the Xiaomi cloud without having to intercept traffic.
Step-by-step:
- Download and install Mi Cloud Tokens Extractor on Android (Android 8.0+ version is required).
- Sign in to the application under the same Mi Account to which the vacuum cleaner is attached.
- Click Get Tokens β in 10β30 seconds, a list of devices with tokens will appear.
- Copy your vacuum cleaner token (starts with 0x or alphanumeric combination).
The advantage of the method is that it works even for new models like the DreameBot X30 Ultra, but the disadvantage is that it requires root rights on some firmware (for example, MIUI 14).
βοΈ Preparation for the extraction of the token
3. Intercepting the token through MITM-attack (for advanced attack)
If the previous methods failed, the network traffic between the vacuum cleaner and Xiaomi servers is intercepted, and the method requires technical skills, but it is guaranteed to yield results.
What you need:
- π» Computer with Windows/Linux root-phone.
- π οΈ Fiddler or Charles Proxy to intercept traffic.
- π‘ Router with the ability to redirect traffic (or hotspot on PC).
Algorithm of action:
- Set up Fiddler to intercept HTTPS-Traffic (enable Decrypt) HTTPS traffic).
- Connect the vacuum cleaner to the network where the Fiddler acts as a proxy.
- In Mi Home, perform any action with a vacuum cleaner (for example, start cleaning).
- In Fiddler logs, search for a request for the domain api.io.mi.com, which will contain the line βtokenβ: βyour tokenβ.
β οΈ Xiaomi may block an account for suspicious activity MITM-Use this method only if other options are exhausted, and do not repeat the intercept more than 1 time per day.
What to do if the token is not found in the logs?
4. Alternative methods: through Home Assistant and Valetudo
If you use Home Assistant, you can extract the token through Xiaomi Miio integration:
- Add the vacuum cleaner to configuration.yaml: vacuum: - platform: xiaomi_miio host: IP_Token, your vacuum cleaner: xiaomi_vacuum_token
- Start Home Assistant in debug mode (logger: default: debug).
- In the logs, find the line Token for device IP_your vacuum cleaner is: [token].
For owners of Dreame vacuum cleaners (for example, DreameBot Z10 Pro), Valetudo firmware is suitable, which replaces the standard software and opens access to the token through the web interface:
- π§ Install Valetudo according to the instructions (root or Telnet access required).
- π Open it in your browser. http://IP_Cleaner and go to the Settings section β Mi Cloud.
- π The token will be displayed in the Token field (you may need to restart the device).
π‘
If after installing Valetudo, the vacuum cleaner stopped connecting to the Mi Home, reset it to the factory settings and repeat the procedure. reset_router_and_wifi via Telnet to completely reset the network.
5.Why the token may be missing and how to fix it
If you did not find the token in any way, the reasons may be as follows:
| Problem. | Reason. | Decision |
|---|---|---|
| The token is not displayed in Mi Home | New model with cloud authorization (2022+) | Use Mi Cloud Tokens Extractor or MITM |
| The token is there, but it's not working. | Expired (usually 3-6 months) | Get a new token through Mi Home or Valetudo |
| Mi Home doesn't show hidden menus | An outdated version of the application or region | Update Mi Home or change region to China Mainland |
| MITM-The attack does not intercept the token | Xiaomi uses pinning certificates | Install a user certificate in the Android system |
Pay special attention to regional restrictions, such as the European version of Mi Home, where tokens can be hidden, while the Chinese version of China Mainland can have them.
- In Mi Home, go to Profile β Settings β Region.
- Select China Mainland (SMS confirmation is required).
- Restart the application and check for the token.
π‘
Changing the region to China Mainland can lead to loss of functionality (for example, voice control in Russian).
6.Security: How not to lose the token and block the account
Xiaomi's vacuum cleaner token is almost like a device password, and if it falls into the wrong hands, an attacker can:
- π Remotely control the vacuum cleaner (turn on / off cleaning).
- π Get maps of your home (if saving cards in the cloud is enabled).
- π Change device settings (for example, disable cleaning areas).
To avoid problems:
- π Do not give the token to anyone in an open form (for example, on forums).
- π Periodically update the token (once every 3-6 months) through Mi Home.
- π‘οΈ Turn off Cloud-based card saving in vacuum cleaner settings if you donβt use this feature.
If you suspect that the token has been compromised:
- In Mi Home, remove the vacuum cleaner from your account and add it again.
- Reset the device to factory settings (reset button on the case).
- Get a new token by one of the methods described above.