Getting Xiaomi vacuum cleaner token on PC

Integrating a robotic assistant into a single smart home ecosystem is a logical step for any owner of Xiaomi, Roborock or Dreame. However, users often face a barrier: a unique access key is required to connect a device to third-party platforms such as Home Assistant or OpenHAB. This key, called a token, serves as a digital pass that allows the local network to interact with your gadget in the cloud or directly.

Getting this ID through the official Mi Home app on your smartphone is becoming increasingly difficult because of the hidden data in new versions of the software. This is where the personal computer comes to the rescue. Using a PC with Windows, macOS or Linux, you get a powerful toolkit to extract hidden configuration parameters. In this article, we will analyze proven methods of mining a token without having to disassemble the device.

It's important to understand that the process requires carefulness and a basic understanding of how network protocols work. We'll look at both automated scripts and manual traffic analysis. The token is 32 characters in hexadecimal format and is a critical element for local management. Without it, integration with advanced automation systems is impossible, since the miIO protocol requires strict authorization for each request.

⚠️ Note: All of the actions described below are at your own risk. Interfering with network configuration or using third-party traffic analysis software may be considered suspicious activity by antivirus software.

Why do I need a token and how does the miIO protocol work?

MiIO, developed by Xiaomi, is the basis for communication between smart devices and the company’s servers. Unlike simple IoT gadgets that simply send data to the cloud, miIO-based devices use encryption for commands. The token acts as a symmetric encryption key. This means that both the device and the managing client (your PC or smart home server) need to know this secret to decrypt the commands.

Without a token, you’re limited to the official Mi Home or Roborock app. You can’t run a voice cleaning service on Google Assistant locally, create complex scenarios in Node-RED, or see a cleaning map in Home Assistant. Many enthusiasts are looking to get a token just to break the dependence on Chinese servers and ensure that the equipment works even when the Internet is disconnected.

There's a misconception that the token is static and permanent, and in fact, if you reset the device to factory settings or re-bind the app, the token can change, so if you re-tied the vacuum cleaner, the old access keys will stop working and you'll have to do it again, and it's a security measure designed to protect your local network from unauthorized access.

πŸ’‘

Use password managers to save tokens, and writing 32-character hex codes manually is a surefire way to make a mistake when you type.

Preparing the working environment on the computer

Before you start extracting keys, you need to prepare a software environment. Most modern methods require the Python interpreter installed. It is a cross-platform programming language that is ideal for working with network queries. Make sure that the Python version is at least 3.7, as older versions may not support the necessary encryption libraries.

You also need a pip package manager, which is usually bundled with Python, and we'll use it to install specialized utilities like python-miio or miio-cli. These tools allow you to send specific requests to your device on a local network. If you're a Windows user, remember to tick the box "Add Python to PATH" when you install Python to run commands from any directory.

It is critical to have a PC and a robotic vacuum cleaner on the same subnet, which means that both devices must be connected to the same router. If your computer is connected by a cable and a vacuum cleaner over Wi-Fi to the same router is normal. However, using a guest Wi-Fi network or client isolation (AP Isolation) will make it impossible to detect the device. Make sure that the firewall does not block incoming connections on port 54321, which is standardly used by the miIO protocol.

β˜‘οΈ Checking readiness to receive the token

Done: 0 / 4

Retrieval method through Python-script python-miio

One of the most reliable ways is to use the python-miio library, which doesn't require Android emulation and works directly with the network protocol. To start the installation, open the command line (CMD) or terminal and type in the pip install python-miio command. Once you've completed the installation, you'll have access to the console utility miio.

The next step is to detect the device on the network, and run the detection command to make sure that the script "sees" your vacuum cleaner.

miio discover --timeout 5

In return, you will receive a list of devices from them. IP-However, if the device is already paired with a Xiaomi account, a simple request may not return the token.In this case, interception or local traffic analysis is used, but often just know IP If the token is not displayed immediately, move on to the next stage – emulation of the mobile application.

You can use debugging mode to do a deeper analysis. Create a file. get_token.py And you put a script in it to listen to the network, and this method requires you to temporarily redirect traffic or use specialized sniffers, but it does. 100% result.

What if the python-miio can’t see the device?
Make sure the device does not have Invisibility mode enabled in the router settings. Also try temporarily disabling the antivirus, which can block the device. UDP-Sometimes it helps to have a static installation. IP-addresses for vacuum cleaner in router settings.

Using Android Emulator and Traffic Sniffer

Since the official Mi Home app hides the token and PC versions are often stripped down, the most effective method is to emulate the Android environment. This software creates a virtual smartphone on your computer, allowing you to install APK-file.

After installing the emulator, load it into it. APK-file of an old, verified version of the Mi Home app (often recommend versions before the 5.x Modern versions of the app have learned to resist simple sniffering methods. Inside the emulator, you will need to log in to your Xiaomi account.

The key is to set up the traffic sniffer, and inside the emulator or at the host PC level, you need to configure a proxy (like Charles Proxy or Wireshark), and you need to intercept the request that the application sends when the device is launched, in the body of that request (usually this is the case). POST-request API Xiaomi) in plain or easily decoded form JSON You'll find the token you want, and you'll find the "token" line in the sniffer logs as soon as the app opens up vacuum cleaner status.

ParameterDescriptionWhere to find
Token32-character access keyJSON API response / Local Storage
DidUnique device IDSettings of the device in the application
IP AddressLocal address on the networkRouter or Mi Home app
ModelDevice model (e.g. rockrobo.vacuum.v1)Device information
πŸ“Š What method of obtaining a token was the most difficult for you?
Setup Python environment
Installation of the Android emulator
Working with the command line
Setting up a traffic sniffer

Alternative way: Docker container for Home Assistant

If you're already using Home Assistant, it's a lot easier. There's a Docker container that automatically scans the network and tries to extract tokens from authorized accounts, a less manual method, but requires a Docker engine running on your PC or server.

To run, use the official rytilahti/python-miio image or specialized add-ons for HA. You will need to enter the username and password from the Xiaomi account into the configuration file. The script is logged in to the Xiaomi server, receives a list of all the associated devices and their tokens, and then displays them in a log file. This is especially convenient if you need to access a dozen devices at once.

However, this method carries the risks of transferring credentials to a third-party script. Although the code is open and verified by the community, from a security perspective, entering a password into a local script is always less secure than using cloud authorization via OAuth.

⚠️ Warning: Never publish your token, IP-address or screenshots of this data in open sources. IP, An attacker on your local network can fully control the device by running a cleanup at 3 a.m. or changing zone settings.

Solving Typical Connection Problems

A common problem is the "Unable to discover device" or connection timeout error, which almost always indicates a network problem. Make sure there is no isolation between your PC and the vacuum cleaner. In corporate or hotel networks, such methods will not work, since direct communication between devices is prohibited by router rules.

Another problem is changing region: If your account is registered in Europe and the vacuum cleaner is bought in China (or vice versa), some commands may not pass. In the integration settings or script, you sometimes need to explicitly specify the server (for example, de, ru, cn). The miIO protocol is sensitive to delays, so ping to the device should be minimal.

If you upgraded the vacuum cleaner firmware and the token stopped working, don't panic. In rare cases, with major software updates, the access keys can be rotated. In this case, the procedure for obtaining the token will have to be repeated again. IP-Device address, if no static is reserved in the router IP.

πŸ’‘

The stability of the smart home depends on the correctness of the entered token, one erroneous number in the hex code will make the device inaccessible for local management.

FAQ: Frequently Asked Questions

Can I get a token without using a PC?
Yes, it's possible, but it's more complicated. Some users use jailbreak iPhones with Packet Capture utility or Android smartphones with root rights and HttpCanary app. However, using a PC with an emulator or Python scripts often turns out to be a more stable and convenient way, especially for analyzing large amounts of data.
What if the token is not suitable for Home Assistant?
Check the device model. In the Xiaomi Mi Robot Vacuum integration, you need to choose the right model (e.g. roborock.vacuum.s5). If the wrong model is selected, commands may not be executed, even if the token is correct. Also make sure that the configuration indicates the correct port (default 54321).
Is it safe to use modified versions of the Mi Home?
Modified versions (such as those from Vevs) are popular in the community and are considered safe because their code is open. They allow you to see tokens directly in the application interface without unnecessary tricks. However, installing any software from unverified sources, you theoretically risk your account data.
Will the token change after the vacuum cleaner is dumped?
In most cases, the token is tied to the device and the account, and a simple reset does not change it. However, if you completely untie the device from the Xiaomi account (Delete device) and re-attach it, the token will be generated by a new one. The old key will become invalid.