Owners of modern cleaning devices often face the need to expand the functionality of the gadget beyond the standard application. This is especially true for smart home enthusiasts who want to connect the robot vacuum cleaner with other systems, such as Home Assistant or Yandex.Smart home. The key element for successful integration is a unique access identifier, which is often called a token. Without this digital key, most third-party integrations simply will not work, leaving the device in an isolated manufacturer ecosystem.
The process of obtaining a private key may seem complicated for an untrained user, but there are actually several proven methods: Xiaomi does not hide this information intentionally, but does not display it in a prominent place in the interface, following the security policy.
In this article, we will discuss the most current ways to mine a token this year, we will look at both software methods through special utilities and the technical nuances of the API. Attention: all actions you make at your own risk, although the methods described below are considered safe and do not require flashing the device.
Why do you need a token for a vacuum cleaner at all?
Many users are wondering why you can't just enter your account login and password into a third-party application, because the MiIO protocol, which is the basis for most Xiaomi devices communicating with the server, uses a two-factor authorization scheme. The application acts as an intermediary, but you need a static key to directly control locally or through alternative gateways. It is the token that confirms that a particular application has the right to give commands to a particular model, whether it is a Roborock S5 or Xiaomi Vacuum Mop 2 Pro.
Without this key, you can't implement advanced automation scenarios, like you can't run a voice cleaning through Alice if the integration is not configured correctly, or you can create a script that includes a vacuum cleaner when you leave your home by geolocation. Local control also becomes inaccessible, which is critical if the Internet channel is unstable. The token acts as a digital pass that links your account to your physical device.
β οΈ Warning: Never give your token to anyone or publish it publicly. Once you have this code, an attacker can control your device, see a map of the room and start cleaning at any time.
In addition, the token allows for alternative clients that may have a more user-friendly interface or advanced features not found in the official Mi Home app. Some enthusiasts even write their own scripts in Python to manage cleaning, which requires this secret setting.
Preparation for the extraction of the access key
Before you start technical manipulation, you need to make sure that your equipment is ready to work. First of all, check that the vacuum cleaner and your smartphone or computer are on the same local Wi-Fi network. Most often, devices operate at 2.4 GHz, so make sure that the router gives a signal in this range, since many models of vacuum cleaners do not see the 5 GHz network.
You will also need a Xiaomi account that the device is linked to. If you use regional servers (such as Russia or Europe), the process may be different from working with Chinese servers. Some methods require you to install additional software on a PC or smartphone. These can be specialized utilities for working with APIs or Android emulators.
It is important to know in advance IP-You can do this through your router settings or using network scanners. IP-Addresses will make the process easier if you choose to use a command line or specialized plugins.Without a stable connection between the control device and the vacuum cleaner, extracting the token can take much longer.
βοΈ Checklist before start
Method One: Using plugins for Home Assistant
The most popular way for smart home owners is to use the Home Assistant platform. Even if you donβt plan to leave it permanently, it provides a great toolkit for getting a token. Youβll need to install Xiaomi Mi Robot Vacuum integration. In the process of setting up, the system will try to pull the token out of the device using your credentials.
Once you add a device to your Home Assistant, the token can often be found in the system configuration files. /config/.storage/core.config_entries. Opening this file with a text editor, you can find the entry that corresponds to your vacuum cleaner and copy the value of the token field. This is one of the most reliable ways, because it uses official libraries.
If the automatic addition didnβt work, you can use the miot tool via the command line if the Home Assistant is installed on Linux or Raspberry Pi. This method requires minimal command line knowledge, but gives guaranteed results.
β οΈ Note: When using Home Assistant, make sure you have not created conflicting automation rules that can block access to the device during the token acquisition process.
The advantage of this method is that you get a full-time integration right away, so you don't have to look for additional scripts or manually enter parameters, but the system will check the token's relevance and, if it's changed (which is rare), try to update it.
Method Two: Python-script mio-token-extractor
For more technically advanced users, there is a great tool written in Python. The python-miio library allows you to interact with Xiaomi devices directly. First, you will need to install Python itself and the pip package manager on your computer. Once you install dependencies, you can run a script to extract the token.
The process is this: you enter your credentials (the username and password from your Xiaomi account), and the script goes to the server, receiving a list of devices and their tokens. This is possible because when you log in to the application, the token is also transmitted to the client, and the script emulates this process.
pip install python-miio
miio extract-tokens --username your login --password your passwordIt is important to note that using third-party scripts requires trust in the code, and it is recommended to run such utilities in an isolated environment or pre-examine the source code for malicious features.
The good thing about this method is that it doesn't require heavy systems like Home Assistant to be installed, and you get the token quickly and you can use it anywhere, but if you have two-factor authorization enabled on your account, it can be difficult because the script has to be able to process it. SMS-push-notification.
Method Three: Android Emulators and Traffic Sniffing
If the software methods don't work, you can try to intercept the token directly from the network traffic of the mobile application. To do this, you will need an Android emulator, such as BlueStacks or NoxPlayer, installed on a PC. Inside the emulator you need to install the Mi Home application and log in.
The essence of the method is that every time a request to the device (for example, when you start cleaning), the application sends a token in the header or body of the request. Using tools for debugging the network (for example, built into an emulator or third-party sniffers), you can track this request.
This is more time-consuming and requires understanding the basics of network protocols, and you'll need to filter out a lot of queries to find the exact one that contains the information you want, and you'll often find a token in an application's logs if you turn on debugging mode in your Mi Home settings.
| Method | Difficulty | I need a PC. | The risk of blocking |
|---|---|---|---|
| Home Assistant | Medium | Yes. | Low. |
| Python | Tall. | Yes. | Medium. |
| Sniffing (Android) | Tall. | Yes. | Low. |
| Root-rights (Android) | Very high. | No. | High-pitched |
It's worth mentioning that there are root-right Android apps that can read files from another app. If your phone has root access, you can just copy the Mi Home app database and extract the token from there. However, getting root rights is a risky operation that can lead to a loss of warranty on the smartphone.
Frequent errors and problems in obtaining a token
One of the most common problems is the wrong server region: Devices purchased in China can be linked to a Chinese server even if you have registered for an account in Europe, in which case the requests will go wrong and you will get an authorization error.
Another common mistake is using outdated versions of libraries. Xiaomi protocols are periodically updated, and older versions of python-miio may not support new encryption algorithms. Always update packages to the latest version before launching scripts. Problems can also arise due to blockages. IP-Addresses from Xiaomi servers when requests are too frequent.
Sometimes the token may be invalid or expired. Although Xiaomi tokens live long enough, for security reasons, their validity may be limited. If you get an error "Invalid token" when trying to manage, the extraction procedure will have to be repeated again. Also make sure that the device has the latest version of the firmware installed.
β οΈ Warning: Donβt try to brute-force tokens by brute force.This is technically impossible because of the key length (128 bits), and a lot of failed login attempts will result in your account being temporarily blocked.
If you are using a corporate network or complex router settings, make sure that the necessary ports are not blocked. Xiaomi devices use specific ports for local management, and closing them can lead to a timeout error when trying to communicate.
Security and storage of secret data
When a token is successfully extracted, it becomes a question of whether it's safe to use it, the token is the actual key to your device, it's not safe to store it in plain text files on your desktop, and it's recommended that you use password managers or encrypted configuration repositories if you're putting it into your smart home system.
If you use Home Assistant, the tokens are stored in encrypted form, which is a good security standard. However, if you transfer the token to scripts or other applications, make sure that access to these files is limited only to your user.
In the event of a token being compromised (if you accidentally posted it or suspect a leak), the best solution is to reset the device to factory settings and re-attach it to the account, which will generate a new token and the old one will become invalid, and it is also recommended to change the password from the Xiaomi account.
Remember that the token gives you full access to device management on the local network, but does not give access to your personal account data or other devices unless they use a shared encryption key (which is unlikely for modern versions of the protocol).
Use of the token in third-party systems
Once you get the cherished string of characters, you can integrate the vacuum cleaner almost anywhere. YAML-User interface or configuration where you need to specify IP, And then there's the services that go into the system to start cleaning, to return to base, to set up suction power, and even to build a map.
There are many possibilities for computer programmers: using the python-miio library, you can write a script that will analyze the map of contamination (if the model supports) and start cleaning only in certain rooms, or, for example, synchronize the vacuum cleaner with smart sockets: if the vacuum cleaner starts working, the socket with the iron turns off.
It also allows voice control through local servers like Rhasspy or Home Assistant Voice, without transferring data to the cloud of large corporations, which increases the privacy and speed of the system response, so you can say, "Alice, ask the vacuum cleaner in the kitchen," and the team will go directly to the local network.
Remember that using a token takes responsibility for the stability of the device. Mistakeful scripts can corner the vacuum cleaner or make it run continuously, consuming battery life. Always test new scenarios under supervision.