Robot vacuum cleaner Xiaomi Vacuum Mop Pro (models) STYJ02YM, STYTJ01ZHM It requires an access token to integrate with third-party smart home systems, from Home Assistant to Node-RED. Without this unique code, you wonβt be able to control the device through a single device. API, Automate scheduled cleaning or get battery status data, and the problem is that Xiaomi doesn't provide the token openly, and you have to extract it yourself.
In this article, we will analyze all the current ways to obtain a token for Vacuum Mop Pro β from the official method through Mi Home to bypassing restrictions using Python scripts and other tools. MITM-You will learn what tools you need, how to avoid blocking your account and what to do if the token suddenly stopped working, and the only legal way to get a token without risking losing the warranty (spoiler: it is associated with the official one). API Xiaomi Cloud).
1 What is Xiaomi Token and Why is it Needed
A token (or authentication token) is a unique 32-digit key that identifies your device in the Xiaomi ecosystem.It is generated by the company's servers when you first connect a vacuum cleaner to your Mi Account and is used to:
- π Authentication of requests to API vacuum cleaners (e.g. start, pause commands, get_status).
- π Reading telemetry: charge level, cleaning maps, sensor errors.
- π€ Integration with third-party systems (Home Assistant, ioBroker, OpenHab).
- βοΈ Hidden settings not available in the standard Mi Home app.
Without a token, you're limited to the functionality of an official app, like:
- π Start cleaning on schedule with Google Assistant or Alice.
- πΊοΈ Export room maps for analysis in Python or QGIS.
- β‘ Increase suction power above the limits set by Xiaomi.
β οΈ Attention: The token is tied to a specific device and Mi Account. If you dump the vacuum cleaner to the factory settings or change the region of the account, the token will become invalid. API (For example, too frequent requests).
2.Official method: obtaining a token through Mi Home (without risks)
This is the only method that does not violate Xiaomiβs user agreement and does not require technical skills, but it only works for users in China or those who have tied the vacuum cleaner to a Chinese server (cn). If your account is registered in the ru, eu or us region, go to the method β3.
Step-by-step:
- Open the Mi Home app (version no lower than 6.5.400).
- Go to profile. β Settings β General settings β Region and choose China.
- Add the vacuum cleaner to the app (if it is not already tied).
- Go to the device page. β Settings (βοΈ) β General. β About the programme.
- Click 5 times in a row on the field with the firmware version. A hidden menu will appear.
- Select Get Token (may be called Token in Chinese).
- Copy the displayed code β this is your token.
If the Get Token item is missing, it means:
- πΉ Your account is not linked to a Chinese server.
- πΉ Mi Home is outdated (update via APKMirror).
- πΉ Xiaomi has removed this feature for your vacuum cleaner model (relevant for devices released after 2023).
3. Alternative method: extraction of the token through MITM-attack (for advanced attack)
If the official method did not work, you can intercept the token using Man-in-the-Middle (MITM) This method requires Python, Wireshark or Fiddler skills, but it gives you 100% of the result, and the bottom line is that you swap Xiaomi servers for your PC and you listen to traffic between the Mi Home app and the cloud.
What you need:
- π» Computer with Python 3.8+ and the mitmproxy library.
- π± Android smartphone with root rights or the ability to install a user certificate.
- π Local area network (vacuum cleaner and phone must be connected to the same Wi-Fi point).
Instructions:
- Install mitmproxy: pip install mitmproxy
- Launch a proxy server: mitmproxy --mode transparent --showhost
- On your smartphone, set up a proxy on IP Your PC and port 8080.
- Install the mitmproxy certificate on your phone (instruction: documentation).
- Open Mi Home and perform any action with the vacuum cleaner (such as running a cleaner).
- In the mitmproxy logs, search for a request to api.io.mi.com with the token option.
Example of successful interception:
GET /app/genToken?clientId=...&signature=...
Host: api.io.mi.com
Response: {"token":"a1b2c3d4e5f6...","expire": 1672531200}β οΈ Xiaomi may block your account for suspicious activity if you send too many requests to the user API. Use this method only to extract the token, not to survey servers in a mass manner.The recommended interval between requests is at least 5 seconds.
What to do if MITM doesn't work?
4.Use of Python scripts to automatically receive token
For users who don't want to mess with mitmproxy, there are pre-built Python scripts that automate the process. One of the most reliable is the miio-cli from the OpenMiHome community. It runs through the Xiaomi cloud and doesn't require root rights.
Installation and launch:
- Install miio-cli: pip install python-miio
- Sign in to Mi Account: Mio --discover --sync-cloud (Enter the login and password from your account).
- Get a list of devices: Mio devices
- Copy the token for the desired vacuum cleaner: miio inspect --ip [IP_vacuumer] --token [time-token]
Example of conclusion:
Device ID: 12345678
Model: roborock.vacuum.m1s (Xiaomi Vacuum Mop Pro)
Token: 6a5f4e3d2c1b0a9876543210fedcba98
Firmware: 3.5.9_1838Advantages of the method:
- β No need to root or modify your phone.
- β It works for all regions (ru, eu, us).
- β Supports two-tier authentication (if enabled in your account).
Disadvantages:
- β Xiaomi can block the account with frequent requests.
- β Requires command line knowledge.
βοΈ Preparation for the script
5. Removing the token from the Mi Home backup (for Android)
If you have a backup of your Mi Home data (created through a ADB Backup or Titanium Backup, a token that can be extracted from it without connecting to a vacuum cleaner, is suitable if the device is broken or located elsewhere.
Instructions:
- Create a backup for Mi Home: Adb Backup -f mihome.ab -app com.xiaomi.smarthome
- Unpack the archive mihome.ab with Android Backup Extractor.
- Open the file. apps/com.xiaomi.smarthome/db/mihome.db In SQLite Browser.
- Follow the request: SELECT token FROM devices WHERE model LIKE'%vacuum%';
If the token is not in the database, try:
- π Search in the account table (sometimes the token is stored there in encrypted form).
- π Check the backup for files with the.pref extension (may contain the token in open form).
β οΈ Note: In the new Mi Home versions (after 2023), tokens are stored in encrypted form. To decrypt them, you will need a key that is generated dynamically every time you run the application. MITM-method.
6. Token verification and error elimination
Once you get a token, you need to check it for performance, use a Python script or online services like MIoT Spec. If the token doesn't work, the reasons may be as follows:
| Mistake. | Reason. | Decision |
|---|---|---|
| Invalid token | The token is wrong or outdated. | Get a new token by any of the methods described. |
| Device not found | The vacuum cleaner is disconnected from Wi-Fi or tied to another account. | Check the network connection and sync with Mi Home. |
| Region mismatch | The token is derived for another region (e.g., cn, and the vacuum cleaner is on eu). | Change your account region or get a token for your current region. |
| Too many requests | Xiaomi blocked from blocking IP for frequent requests. | Wait 24 hours or use another one. IP (VPN). |
To test the token manually, use Postman or cURL:
curl -X POST"http://[IP_ vacuum cleaner]/miIO.info""
-H"Content-Type: application/json" \
-d'{"id":1}' \
--user "token:[YOUR TOKEN"If the answer contains βresultβ:[miIO.version,...], the token is valid.
π‘
If the vacuum cleaner doesn't respond to commands, try rebooting it by holding the power button for 10 seconds. API.
7 Security: How not to lose your token and account
The token gives you complete control over your vacuum cleaner, so its leakage can lead to:
- π« Remote control of the device by attackers.
- π Theft of your home layout data (cleanup maps contain exact room sizes).
- π Blocking Xiaomi account for suspicious activity.
Safety regulations:
- π Store the token in a password manager (such as Bitwarden or KeePass).
- π Do not transfer the token to third parties or public repositories (for example, in GitHub).
- π Regularly (every 3-6 months) update the token through Mi Home.
- π‘οΈ Use two-factor authentication in your Mi Account.
If you suspect that the token has been compromised:
- Untie the vacuum cleaner from your Mi Home account immediately.
- Change the password from the Mi Account.
- Get a new token by one of the methods described.
π‘
Never use the token on open networks (such as public Wi-Fi). To integrate with Home Assistant, set up a local network or VPN.