Owners of modern robotic equipment from Xiaomi often face the need to integrate their devices into alternative control systems or third-party automation services. Successfully pairing a vacuum cleaner with platforms like Home Assistant, OpenHAB or even advanced functionality in Apple HomeKit requires a unique access key, called a token, which serves as a digital pass that allows external applications to send commands directly to the device via the cloud or local network.
Without this secret code, management is limited to the official Mi Home app, which is not always convenient for creating complex smart home scenarios. Obtaining a token is a technical procedure, but it is quite affordable even for users who do not have deep knowledge of programming. In this article, we will discuss in detail several proven ways to extract the key using both mobile devices and a personal computer.
It's important to understand that a token is confidential information. Never share it with anyone or publish it publicly. By knowing the token, attackers can gain full control of your device, including the ability to run a cleanup in your absence or block the device, so approach the process of obtaining and storing the key with the utmost care.
Why do we need a token and where do we use it?
The main purpose of the token is to authorize third-party software when interacting with the Xiaomi IoT ecosystem.The official Mi Home app hides this key from the user, providing a basic level of security. However, enthusiasts and advanced users often want to go beyond the standard functionality provided by the manufacturer.
With the key, you can implement really powerful automation scenarios, such as running cleaning only when all family members' smartphones have left the geofence at home, or turning on a device on a schedule that cannot be specified in the standard interface, and a token is needed to locally manage the device without accessing the company's Chinese or European servers, which greatly speeds up the response of the system.
There are several popular areas where knowledge of the token is required:
- π Integration with Home Assistant to create a single management interface.
- π Adding a device to Apple HomeKit via plugins if the vacuum cleaner model is not officially supported.
- π€ Using alternative clients for Android/iOS with advanced functionality and detailed statistics.
- π Local management through MQTT direct LAN-teamwork to improve reliability.
It is worth noting that the use of third-party software always carries certain risks. Incorrect configuration can lead to temporary unavailability of the device in the official application until the reconnection. Local management protocol, which is activated using the token, often works more stable than the cloud, but requires the correct network configuration.
β οΈ Attention: Token extraction may violate the terms of the user agreement.Act at your own risk, although in most cases it is safe for the hardware of the device.
Method 1: Obtaining a token through Android and Root rights
The easiest and fastest method is available to Android smartphone owners who have superuser (Root) rights. If your device is rooted, you won't need a computer or complex manipulation of network packets. All the necessary information is stored in a secure database of the Mi Home application.
To implement this method, you will need a file manager with access to system partitions, such as Root Explorer or a file manager. MT Manager: The algorithm is simple: you go to the directory where Mi Home stores its data: /data/data/com.xiaomi.smarthome/databases/miio.db.
Once you find the database file, you have to copy it to an accessible location and open it with any SQLite editor. In the table that contains the device information, you will find a column called token. This is the character string that is the key you want. For Roborock or Xiaomi Vacuum models, the procedure is identical.
π‘
Before copying system files, make a backup of the database in case of editing error.
If you don't have Root rights, this method won't work, because Android blocks access to other apps' data, and then you'll have to resort to more complex, but versatile methods using traffic sniffering or special utilities for your PC.
Method 2: Use of Xiaomi Cloud Token Extractor
This method is most popular among Windows and macOS users, as it does not require superuser rights on the phone or complex network environment configuration. Xiaomi Cloud Token Extractor utility allows you to get tokens of all devices associated with your Mi Account by logging into the companyβs servers.
To get started, youβll need a computer and an installed Python runtime (version 3.6 or higher) or a ready-made executable (.exe) if you donβt want to mess around with the code. The program emulates login, requests a list of devices, and uploads their identifiers along with tokens to a text file or displays them in a console.
The process is as follows:
- Download the current version of the utility from the developer repository (usually GitHub).
- Start the program and enter the login and password from your Mi Account.
- Select the server on which the device is registered (Europe, China, USA, Russia).
- After successful authorization, the program will give a list of all devices with their tokens.
It is important to keep your credentials secure. When you use third-party scripts to log in, you formally transfer your username and password to the utility developer. Although most of these programs are open and verified by the community, there is still a risk of account compromise, and it is recommended that you use a separate account for tests or temporarily change your password after receiving a token.
βοΈ Check before launching the utility
One of the common problems with this method is captcha or confirmation of login via SMS. Xiaomi security system may consider multiple requests for tokens as suspicious activity, in which case it is worth taking a break or trying to log into the account through the browser to confirm trust in the device.
Method 3: Sniffing traffic through Proxy (mitmproxy)
The most technically sophisticated, but also the most reliable method, which does not require passwords to be transferred to third parties and the presence of Root rights, is based on intercepting (sniffing) encrypted traffic between the Mi Home application and Xiaomi servers.
The idea is that you set your smartphone up to work through a proxy server running on your computer, then you set a special security certificate on your phone so that the Mi Home app trusts the traffic interceptor, and then any action in the application (such as turning on the vacuum cleaner) will be asked in the logs on your computer containing the device token.
The main stages of setting up:
- π₯οΈ Install mitmproxy on PC and find out IP-local area address.
- π± Set up Wi-Fi on your smartphone by specifying a proxy (IP computer and port 8080).
- π Download and install the mitmproxy-ca-cert.pem certificate on your phone.
- π² Start intercepting traffic and open the Mi Home app.
The main difficulty with this method in modern versions of Android (7.0 and higher) is that applications do not trust user certificates by default.To get around this limitation, it often requires Root rights to move the certificate to the system folder, or use an Android emulator on a PC (for example, NoxPlayer or BlueStacks), where you can easily install the certificate in trusted ones.
Why are there no traffic in the logs?
Despite its complexity, it is considered the βgold standardβ for security researchers, which allows you to get tokens not only for vacuum cleaners, but for any other devices in the ecosystem that support the MiIO protocol. If you plan to regularly engage in smart home settings, mastering mitmproxy will be a very useful skill.
Compatibility table of models and protocols
Not all Xiaomi devices use the same authorization mechanism. While some models are MiIO-based and easily give away the token, others use newer standards or require specific actions. Below is a table of popular models of robot vacuum cleaners and the features of obtaining a token for them.
| Model of the device | Protocol of communication | Difficulty obtaining | Support for local governance |
|---|---|---|---|
| Xiaomi Mi Robot Vacuum 1S | MiIO | Low. | Complete. |
| Roborock S5 / S5 Max | MiIO | Low. | Complete. |
| Roborock S6 / S7 | MiIO / RT | Medium | Complete (with nuances) |
| Dreame D9 / Z10 Pro | MiIO | Low. | Complete. |
| Xiaomi Vacuum-Mop 2 | MiOT | Tall. | Limited. |
As you can see from the table, older and more popular models, such as the Roborock S5 or the first Mi Robot, are the easiest to integrate into third-party systems. The newest devices running on the AIoT platform (MiOT marking), may require additional manipulation, as they use cloud tokens that are often changing or have a short lifespan.
For MiOT-labeled devices, the standard token may not be suitable for local management. In such cases, integration developers often use cloud gateway emulation techniques or require a dedicated plugin to broadcast commands. Always check the documentation of a particular integrator (such as the Xiaomi Mi Robot Vacuum component for Home Assistant) for support for your model.
π‘
The success of integration depends not only on the token, but also on the protocol support of a specific vacuum cleaner model in the software you choose.
Solution: Token is not working or is not in operation
Even with strict follow-up to instructions, users often face situations where the received key is not received by the system or is not valid. The most common reason is a region mismatch. A token received through the Europe server will not work if the device is tied to the China server. Always check the region in the Mi Home application settings.
Another common problem is changing the token after a device is reset or firmware update. While in most cases the token is permanently linked to the account and device, in rare cases, a full reset may change the key. If the integration stops working after the reset, the procedure for obtaining the token will have to be repeated.
Also worth paying attention to is the input format. A token is a 32-digit hexadecimal string. When copying from a database or logs, it is easy to capture extra spaces or string transfer symbols. Check the length of the line carefully: it should be exactly 32 characters. Extra spaces at the beginning or end of the line will lead to an error in the Invalid Token authorization.
β οΈ Note: If you changed your Mi Account password after receiving the token, the token itself will not change, but new devices added to the account may not appear in old sniffers until re-authorization.
In some cases, antivirus software or a firewall on your computer can block the connection of the token extraction utility to Xiaomi servers. Try temporarily disabling protection or adding the program to exceptions. Also, using mobile Internet instead of Wi-Fi to distribute the network if the provider blocks certain ports helps.
Security measures and final recommendations
Getting a token opens the door to the world of advanced automation, but remember responsibility. The token gives you full access to control the device. Store it in a safe place, preferably in an encrypted configuration file of your smart home system, not in a text file on your desktop. Don't put screenshots of tokens in chat rooms or forums.
Use Xiaomiβs guest account to experiment if youβre afraid for the security of the main one. Link the vacuum cleaner to a new account, get a token and use it for integration. This isolates potential risks. In addition, regularly updating the vacuum cleanerβs firmware through the official app helps close vulnerabilities that could theoretically be exploited through an open local control port.
Token integration is a powerful tool that turns a home appliance into a full-fledged smart home, and by taking the time to set up, you get the flexibility that standard tools don't have, and the key is to be careful and understand what you're doing at each step of the process.