How to know the token of the robot vacuum cleaner Xiaomi: the complete guide

Smart tech owners often face the need to integrate their devices deeply into a single ecosystem. Robot vacuum cleaners from Xiaomi, Roborock or Dreame are some of the most popular gadgets, but their standard functionality sometimes wants to expand. To connect the device to third-party control systems such as Home Assistant, or to use alternative applications, you will need a unique security ID.

This digital key, called a token, allows external software to access the management of your janitor. Without this code, many advanced automation scenarios will remain unavailable. The process of obtaining it may seem difficult for a beginner, but in fact it requires only care and a clear algorithm of actions.

In this article, we will discuss in detail what a token is, why it is needed, and how it can be extracted from your device, and we will look at both the official methods available through cloud services and more technical ways through a local network.

⚠️ Warning: The token is the key to accessing your device. Never share it with anyone or publish it publicly, as this may allow attackers to control your robot vacuum cleaner.

What is a token and why is it needed

A token is a long string of characters that acts as a password for authorizing third-party applications. The MiOT (Mi IoT) protocol, which is the basis for most devices in the ecosystem, requires strict authentication. When you add a vacuum cleaner to the Mi Home app, the server generates that key and links it to your account and a particular device.

The token's primary purpose is to ensure communication security, and it ensures that the commands to start cleaning, return to base, or change the suction power come from an authorized user, and the standard application hides this parameter from the user's eyes because it is not required for normal use.

However, if you decide to create a complex scenario, like running a cleanup only when all the smartphones in the house have left the geofence, or displaying vacuum status on a smart display, you will need this key.

  • πŸ”‘ Identification: Unique code links a user account to a specific physical device on the network.
  • πŸ›‘οΈ Security: Prevents unauthorized access to the control of household appliances from the outside.
  • πŸ”— Integration: Allows you to connect your device to platforms like Home Assistant, Node-RED or Yandex.Smart Home through third-party integrations.
πŸ“Š What purpose do you need a token for?
Integration with Home Assistant
Setting up Yandex.Smart home
Experiments with APIs
Just out of interest.

The official method is Mi Cloud Token Extractor

The most reliable and secure method of obtaining a key is to use your account’s cloud data, which does not require root rights on your smartphone, nor does it involve installing suspicious software directly on the phone you’re operating the vacuum cleaner from, but takes place on the server side or via a secure script.

First, you need a Xiaomi account that has a robot vacuum cleaner attached to it. It's important to understand that the server that your account is registered with must match the region that you choose from in the Mi Home app. Most often, these are servers in China, Russia or Europe. A mistake in choosing a region will lead to the fact that you simply will not find your device in the list.

There are many online services and GitHub repositories that offer Token Extractor, and the way they work is the same: you enter your Mi Home account login and password, log in to the cloud, get a list of all your devices, and upload tokens for each of them. Once you get the data, you are strongly advised to change your account password.

Is it safe to enter a password on third-party sites?
Using proven open-source scripts on GitHub (such as Xiaomi Cloud Token Extractor) is considered relatively secure because the code is open to verification. However, there is always a risk of account compromise. The best way to use a temporary password or account created specifically for tests, although it is not always convenient for the main home hub.

The process is as follows:

  1. Go to the authorization page of the selected token extraction tool.
  2. Choose the right server region (important!).
  3. Enter your Xiaomi account credentials.
  4. After successful authorization, copy the string of the token corresponding to the model of your vacuum cleaner.

⚠️ Note: When using online token generators, make sure you are on a site with a secure connection (HTTPS) And that the resource has a good reputation in the community of smart home users.

Receiving a token through the Mi Home (Android) app

For Android users, there is an alternative method that does not require password transfer to third parties, but it requires SuperUser (Root) rights or the use of special debugging tools, which is considered more technically complex, but it gives direct access to local application data.

If your smartphone is rooted, the token is stored in a secure database of the Mi Home application.The path to the file usually looks like /data/data/com.xiaomi.smarthome/databases/miio.db. To access this file, you will need a root file manager, such as Root Explorer or MixPlorer.

Once you copy the database to a computer, you can open it with any SQLite editor. You need a devicedb table that will store the token you want in one of the columns. MAC-address of the device or its name (SSID), This is usually a "roborock-vacuum" or "dreame-vacuum".

β˜‘οΈ Checklist for obtaining a token on Android

Done: 0 / 4

If root rights are not available, you can try the method of intercepting traffic, but it requires setting up a proxy server on your computer and installing a certificate on your phone, which makes this method cumbersome for the average user.

ParameterCloud methodLocal method (Root)Sniffing method
DifficultyLow.MediumTall.
I need a Root.No.Yes.No.
SecurityMedium (data transfer)High (locally)Low (certificates)
Speed.1-2 minutes5-10 minutes15-30 minute

Use of the token in Home Assistant and other systems

Once you've successfully mined a long string of characters, the question is, what do you do with it? Most often, tokens are used to integrate into the Home Assistant smart home system. This platform uses Xiaomi MiOT integration, which requires input. IP-address of the device, its token and sometimes models.

The process of adding the device looks standard for HA: you go into settings, select integration, and enter the data you get. If the token is correct, the system immediately tightens all the available entities: cleaning status, charge level, tank water level and filter state, which turns a regular vacuum cleaner into a full-fledged element of a smart home.

It's worth noting that if you change your Mi Home password or reassign your device, the token can change, and in such cases, the integration will stop working, and you'll have to repeat the key extraction procedure, so if you plan to change your passwords often, consider this nuance.

πŸ’‘

Keep the received token in a safe place (password manager or text file in the safe). If you lose it, the procedure will have to go through again, and if you block the account, access to the device through third-party systems will disappear.

For other systems, such as OpenHAB or Domoticz, the principle is similar: the token acts as an API key. Without it, these platforms will not be able to send commands to the device, since they will not be able to log in to the gateway or vacuum cleaner itself.

Possible problems and solutions

The most common mistake is the wrong server region, where users often register accounts on the China server and buy a device for Russia or Europe, in which case the cloud extractor will not see the device on the list, even if the username and password are correct.

Another problem is two-factor authentication, where if your account has SMS or email protection enabled, the token extract script may not be able to handle the confirmation code request, in which case it is recommended to temporarily disable two-factor authentication, get the token, and then turn the protection back on.

There is also a situation where the device appears in the list, but the token is not readable or has a faulty format. This can happen if the device manufacturer (Xiaomi, Roborock) has changed the encryption protocol, in such cases it is worth looking for an updated version of the extractor script or using the method of local traffic sniffing.

  • 🌍 Region: Check if the region in the Mi Home app matches the settings of the token tool.
  • πŸ” 2FA: Temporarily disable two-factor authorization if the script cannot log in to your account.
  • πŸ”„ Updates: Make sure the vacuum cleaner firmware and Mi Home app are updated to the latest versions.

⚠️ Note: If you have changed your account region in the Mi Home app, old devices may disappear from the list or cease to be managed.

Security and storage of access keys

Once you access the token, you actually have complete control of the device. IP-The address of your vacuum cleaner (on the same network) can run it, send it to the base, or even change voice packets.

It is not recommended to store tokens in plain form in cloud notes or send them in messengers without encryption.The best solution is to use specialized password managers such as KeePass or Bitwarden, where data is protected by a master password.

Also, limit access to your home Wi-Fi network. A guest network is a great place to connect IoT devices, including robot vacuum cleaners, and this will create an additional barrier between your main devices (laptops, phones with banking applications) and potentially vulnerable smart appliances.

πŸ’‘

A token is the equivalent of a key to an apartment. Losing a token is not scary (you can get a new one), but getting it into the wrong hands gives you access to the management of your house.

Frequently Asked Questions (FAQ)

Can I get a token without a computer, only from a phone?
Yes, there are mobile apps like Token Extractor available in the Play Market or App Store, but their security is questionable: it is more reliable to use web versions of services through a smartphone browser or still use a PC to guarantee data security.
Will the token change after the vacuum cleaner is flashed?
In most cases, the token is tied to the device and the account, not to the vacuum cleaner's software itself, but if you reset the device to factory settings and re-attach it as a new device, the server can issue a new token, and the old key will stop working.
Does this work for all Xiaomi and Roborock models?
This method works for the vast majority of devices using the MiOT protocol. This includes popular models of the S5, S6, S7, S8 series, as well as devices of the Dreame, Viomi and Roidmi brands. The exception may be completely new models released after updating security protocols, for which extractor scripts have not yet been adapted.
What if the token is not suitable in Home Assistant?
Check it out. IP-Device address - it could change if the router didn't reserve a static address. Also make sure you copy the token completely, without any unnecessary spaces at the beginning or end of the line. Sometimes it helps to remove the device from integration and add it again with verified data.