Integrating smart tech into a single ecosystem often requires a deeper dive into the technical details than just installing an app. Owning a Xiaomi robot vacuum cleaner, you may find yourself having to manually link the device to third-party control systems like Home Assistant or OpenHAB. To successfully synchronize these platforms, knowing a unique access identifier called a token is critical.
This secret security key is generated by the server when the gadget is first connected to the network and is used to encrypt local commands. Without knowing token, managing the device through local protocols becomes impossible, since the Xiaomi server will not transmit the cleaning command without verifying the authenticity of the request.
There are several proven ways to extract this information, each with its own features and software requirements, and we'll look at methods that don't require root rights, as well as more advanced options for power users. It's important to understand that a local token is not a static password that you can guess, but a dynamic key that is tied to your account and a particular device.
What is a token and why is it needed
The token is a 32-character hexadecimal string that serves as a digital pass to manage the device. The MiOT (Xiaomi IoT) protocol, on which most of the brand's gadgets work, uses this key to authenticate. When you send a command through an official application, it automatically inserts the token into the query header. However, third-party systems that do not have access to your account in the Xiaomi cloud require manual input of this value.
Without the right token, any attempt to interact with the vacuum cleaner will be rejected by the security gateway, which protects your smart home from unauthorized access by intruders who could intercept traffic on the local network. Obtaining a token is the first step to fully automate cleaning, allowing you to run the vacuum cleaner on a smart home schedule or activate it with voice through local assistants.
β οΈ Note: Never give your token to third parties. Once you have this key, it is theoretically possible to gain full control of your device within the local network.
Itβs worth noting that some older models may have static or even default tokens, but modern devices like the Roborock S5, S6, S7 or Xiaomi Vacuum Mop series use dynamic generation, which means that when you reset the device or reassign it to another account, the token will change and you will have to retrieve it.
Preparation for the extraction of the token
Before you start technical manipulation, you need to make sure that your device and environment are in the right condition. The main requirement is that the robot vacuum cleaner and the smartphone from which the extraction will be made must be on the same local Wi-Fi network. It is advisable to use a network with a frequency of 2.4 GHz, since many IoT devices do not support the 5 GHz standard or work with it unstablely.
You will need a computer (Windows, macOS or Linux) or an Android smartphone with a terminal emulator installed. For iOS users, the process is more complicated due to the limitations of the operating system, so it is recommended to use a PC or Android device. Also make sure that the phone has the Mi Home app installed and the device is successfully added to it.
βοΈ Pre-testing
It is important to know in advance IP-You can do this in the Wi-Fi settings on your phone, if you use the traffic sniffer method, IP-The phone address will act as a target for packet filtering. Write down this address, it'll be used to set up the sniffer.
Method 1: Using an Android emulator and sniffer
The most universal method that doesn't require root rights on the main phone is to use an Android emulator on your computer. You'll need to install an emulator like NoxPlayer or BlueStacks, and inside it run the Mi Home app. The essence of the method is to intercept network traffic between the application and the Xiaomi server.
To analyze traffic, you use the mitmproxy or Packet Capture utility. Once you install the sniffer on the emulator, you need to configure the proxy connection. IP-The computer address is like a proxy server and the port on which the sniffer is running (usually 8080).Be sure to install the sniffer security certificate in the trusted ones on the emulator, otherwise the traffic will be encrypted and not amenable to analysis.
Once set up, start intercepting traffic and open the Mi Home app in the emulator. Find your robot vacuum cleaner in the list and click on it to open the control panel. At which point the application sends a request to the server to obtain device status, and this request contains the desired token. In the sniffer logs, look for queries to domains containing miotspec or xiaomi.
What to do if traffic is not visible?
When you find the package you want, look at the query parameters. The token is usually sent to the token field or the Authorization header. It looks like a long string of numbers and letters from a to f. Copy it and save it in a safe place.
Method 2: Analysis of the application database (Root Requires)
If your smartphone has root rights, the process of obtaining a token is much easier and more reliable.The Mi Home app stores the tokens of all connected devices in the local SQLite database. Access to this file allows you to instantly get all the necessary information without complex network equipment configuration.
The database file is usually located on the path: /data/data/com.xiaomi.smarthome/databases/miio.db or in a similar directory, depending on the application version. To work with the file, you will need a file manager with access to system partitions, such as Root Explorer or Solid Explorer.
Copy a database file into internal memory or onto a computer, and you can open it with any SQLite viewer, such as a computer, DB Browser for SQLite. You're interested in a Device or SmartHome table inside you. Find a row that matches your robot vacuum cleaner. MAC-address or model name, and look at the token field.
| Parameter | Description | Where to find out. |
|---|---|---|
| Device ID | Unique device number (did) | Device card in Mi Home |
| Token | Access key (32 characters) | Database miio.db |
| IP Address | Local address of vacuum cleaner | Router settings or device card |
| Model | Device model (e.g. roborock.vacuum.s5) | Settings -> About the device |
β οΈ Warning: Be extremely careful when working with system files and root rights. Accidental deletion or modification of other records in the database may lead to malfunction of the Mi Home application.
This is particularly useful because it allows you to get tokens from all the devices in your smart home system at once, so you don't have to repeat the procedure for each gadget separately, just export the data and use it to set up the integrations.
Method 3: Using Python scripting xiaomi_miio
For users familiar with the command line and Python programming language, there is a dedicated python-miio library, developed by community enthusiasts and allowing you to interact with Xiaomi devices directly.
The library is installed by the pip install python-miio command. Once installed, you will need to use the command to extract the token by providing a username and password from the Mi Home account. The script is logged in to Xiaomi's server, receives a list of devices and their tokens, and then displays them to the console.
miio-vacuum --model roborock.vacuum.s5 --ip 192.168.1.100 --token YOUR_TOKEN statusHowever, for the initial receipt of the token, a separate script miio-extract-tokens is often used, which is included in some library forks or is available as a separate tool in GitHub repositories. You will need to enter your credentials (server, login, password), and the script will return JSON-list with all devices and their tokens.
The advantage of this method is that it's cross-platform and automateable, and you can write a script that will periodically check the status of the token or update it in the Home Assistant configuration file when you change it, making it ideal for advanced users.
Typical errors and their solution
Users often face a number of problems in the process of extracting a token, one of the most common being the wrong server region; Xiaomi accounts can be linked to servers in China, Europe, Russia or the United States; if you try to log in with a script or sniffer, choosing the wrong region, the server will reject the request or return an empty list of devices.
Another common error is two-factor authentication (2FA). If your account is protected via SMS or email, simple scripts may not be able to handle the request for a confirmation code. In such cases, it is recommended to temporarily disable 2FA while receiving the token or use methods that work directly with the database of the application where the token is already stored.
Also worth mentioning is the problem with models that run exclusively through the cloud protocol and do not support local management. Some low-end models of robot vacuum cleaners may not have local API functionality, and the token for them will be useless for third-party integrations. Always check the model specifications for support for Local API.
π‘
If you change the password from your Mi Home account, all previously received tokens may become invalid, you will have to re-link the device or retrieve the tokens through the database after re-authorization.
Don't forget that IP-The address of the device in the local network may change if the router is not configured to static address issuance (DHCP Reservation. For stable operation of integrations, be sure to reserve IP-address for the robot vacuum cleaner in the router settings, linking it to MAC-address.
FAQ: Frequently Asked Questions
Can I get a token without a computer, only from a phone?
Will the token change if I reinstall the Mi Home app?
Is it safe to use third-party scripts to get a token?
Where exactly to store the received token?
What if the token is not suitable for integration?
π‘
A properly defined and stored token is the key to the full autonomy of your robot vacuum cleaner in the smart home system, allowing you to bypass the limitations of the Xiaomi cloud.