Owners of the Xiaomi ecosystem often face the need to integrate gadgets deeply into third-party smart home systems. Local management of devices without a cloud requires a unique security identifier, which is necessary for synchronization with platforms like Home Assistant, Homebridge or specialized scripts in Python.
Without the right device token, you canβt set up automation that works without the Internet, or extend the functionality of the device beyond the official application. The process of obtaining this code may seem difficult to a beginner, but there are several proven ways to extract it.
In this article, we will cover all the current methods, from simple scripts to traffic analysis, you will learn how to prepare a computer, which applications to use and where to find the right string of characters for your model.
Why do we need a token and where does it apply?
The token is a 32-character string in hexadecimal format that serves as an authorization key, which allows third-party software to communicate with the device over a LAN, which is critical for those who value the privacy and responsiveness of the system.
Main application is integration into Home Assistant. the standard Xiaomi Miio plugin requires input IP-Without this step, management is only possible through the company's cloud server, which creates delays and depends on the availability of servers in China or Europe.
The token is also needed to use advanced debugging tools such as miio-cli or python-miio, which can, for example, force the device to restart, change the region of operation or run hidden diagnostic functions that are not available in the normal interface.
Preparation for the removal of the security key
Before you start technical manipulation, you need to perform a number of preparatory steps: make sure that your mobile device and computer are on the same local Wi-Fi network, which is a basic requirement for most methods of interception.
You will need to install the official Mi Home app on your smartphone. If you already have an account, make sure the device is added to it and displayed correctly in the list. Some scripts may require root access or use of an Android emulator on your PC to work.
βοΈ Tool preparation
It is important to know the model of your device, as communication protocols may differ. For older models of light bulbs or sockets, methods may be easier, whereas newer cameras and robot vacuum cleaners use enhanced encryption.
Method 1: Using Python scripts and miio library
The most versatile and reliable way for advanced users is to use the python-miio library, which requires installing Python on a computer and basic command line knowledge.
First, you need to install the library itself through the terminal, type in the pip install python-miio command and wait until all dependencies are installed, and then you can run the utility to get the token using your credentials.
miio-vacuum-token --username your email --password your passwordThe script will contact the server Xiaomi, log in under your acca is a must. In response, you will receive a list of all devices associated with the account, with their IP-This method is considered the safest, because it does not require the installation of dubious software on the phone.
π‘
Use the Python virtual environment to install libraries so you donβt conflict with other system packages.
If you don't want to use the command line, there are graphical interfaces for this library, like the Xiaomi Cloud Token Extractor, which do the same thing, but in a more user-friendly format.
Method 2: Analysis of traffic through proxy (Charles Proxy)
The method of intercepting traffic is classic and works even when the scripts are powerless. You will need a program Charles Proxy or Fiddler on your computer and configured it. SSL-phone-certificate.
The essence of the method is that the phone connects to the Internet through a computer, the proxy program intercepts the requests of the Mi Home application to the server, and the body of the request or response contains the desired token in plain or encrypted form.
| Parameter | Description | Where to find |
|---|---|---|
| Host | Server address | api.io.mi.com |
| Path | Path of request | /app/v2/ha/device/get_token |
| Parameter | Required value | token |
| Format | Data format | Hex (32 characters) |
Once you have configured the proxy and installed the certificate, open the Mi Home app and go to the device menu. Logs will be flooded with queries. Look for queries that contain the word token or api.io.mi.com.
β οΈ Warning: Modern versions of the Mi Home app can use additional payload encryption.If you only see encrypted data, this method may not work without additional decryption plugins.
Method 3: root rights and Android file system
For smartphone owners with root rights, there is a direct path, and device tokens are often stored in the appβs local databases on the phone itself.
Using a file manager with access to system partitions (e.g, MT Manager or Root Explorer, go to the /data/data/com.xiaomi.smarthome/databases/. You are interested in a file called miio.db or smart_home.db.
Opening a database through any SQLite editor, find a device table. The token column will store the keys for all the devices added. It's a fast way to connect to a PC without having to connect to a computer.
What to do if there is no database?
Remember that modifying system files can cause an application to run in an unstable way, and it is recommended to back up the database before any action.
Method 4: Specialized extractor applications
There are a number of applications created by enthusiasts specifically for token extraction, and one popular solution is the Xiaomi Token app or its counterparts, available in third-party app stores.
The principle is simple: you enter the username and password from your Xiaomi account directly in the application, the program independently accesses the servers and gives out a list of tokens, which is the easiest option for those who do not want to mess with the code.
However, you take risks by sharing your credentials with a third-party developer, and although many of these apps are open-source and community-verified, caution is not a problem.
β οΈ Warning: Never use your primary account with linked payment details in unverified apps. Create a separate user profile for tests.
After receiving the token, be sure to change the password from your Xiaomi account through official channels to protect your data from potential compromise.
Frequent errors and problems in obtaining a token
The key extraction process is not always smooth. Often users experience invalid credentials errors, which means that the password is incorrect or the account is blocked, check if you need to confirm the login via SMS.
Another common problem is a blank list of devices, which happens if you select the wrong server region in the script or application settings, and make sure you select the same region as the Mi Home application.
π‘
The token is valid indefinitely until you reset the device or remove it from the application.
Itβs also worth considering that some devices, especially encrypted cameras, may not give the token back to standard methods, often requiring them to disassemble the case and connect to debugging contacts on the board, which is the lot of engineers.