com.xiaomi-miio icon indicating copy to clipboard operation
com.xiaomi-miio copied to clipboard

Published 20 hours ago verified publisher icon jghaanstra

Easy way to obtain tokens using iOS (NO jailbreak, NO backup, NO computer)

Open basvdploeg opened this issue 4 years ago • 12 comments

Obtain Mi Home device token on iOS without a jailbreak! It doesn't need any other device to get the tokens and can use the latest version of Mi Home for iOS.

Pros:

  • Fast
  • No jailbreak needed
  • No backup needed
  • No computer needed
  • Works with the most recent version of the Mi Home app

Cons:

  • Requires the paid Charles Proxy iOS app: https://apps.apple.com/app/charles-proxy/id1134218562

How it works

Your device should already have been setup using the Mi Home iOS app.

  1. Make sure to force close the Mi Home app. We want a fresh start.
  2. Download the Charles Proxy iOS app.
  3. Once asked for permission to install VPN Configurations, tap Allow.
  4. The app will start the proxy and should show it’s active.
  5. Tap the gear icon in the top left. Then tap SSL Proxying.
  6. At the bottom of the screen you can find instruction for or installing and trusting the Charles Proxy CA Certificate. Follow the instructions, install the Certificate and make sure that the Certificate Status shows “Trusted” when you come back in the Charles Proxy app.
  7. Now toggle the Enabled switch in the SSL Proxying screen to on and go back (close the settings menu) to the main screen of the app.
  8. Open the Mi Home app and let it fully load.
  9. Switch back to the Charles Proxy app and tap on the Current Session.
  10. You should see a lot of request, but we’re looking for “de.api.io.mi.com”. Tap on it.
  11. Tap Enable SSL Proxying.
  12. Go back to the main screen of the app and clear the Current Session by swiping to the left and tap “Clear”.
  13. Force close the Mi Home app and open it again. Let it fully load.
  14. Go back to Charles Proxy and tap on the new Current Session.
  15. Look for “de.api.io.mi.com” again, and tap it.
  16. Look for “app/v2/home/device_list_page”, and tap it.
  17. Scroll down to the Response Body and tap View body.
  18. BOOM! You should now see a (json) list of your devices, including their device tokens, local IP and device id’s!

Example output for the Xiaomi Air Purifier 3H:

{"code":0,"message":"","result":{"list":[{"did":"30XXXXXXX","uid":155XXXXXXX,"token":"3aXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX","name":"Mi Air Purifier 3H","pid":0,"localip":"192.168.86.XX","mac":"5C:XX:XX:XX:XX:XX","ssid":"Google Wifi","bssid":"70:XX:XX:XX:XX:XX","rssi":-37,"longitude":"0.00000000","latitude":"0.00000000","show_mode":1,"model":"zhimi.airpurifier.mb3","permitLevel":16,"isOnline":true,"spec_type":"urn:miot-spec-v2:device:air-purifier:0000A007:zhimi-mb3:1","extra":{"isSetPincode":0,"fw_version":"2.0.7","mcu_version":"0009","isSubGroup":false},"orderTime":1592583396}],"next_start_did":"30XXXXXXXX","has_more":false}}

basvdploeg avatar Jun 20 '20 10:06 basvdploeg

Came here to share this as well. Looks like @basvdploeg already has!

garrettmac avatar Jul 05 '20 02:07 garrettmac

man, thanks!!!! the only way to get it.

divemasterjm avatar Aug 20 '20 18:08 divemasterjm

I’m curious if this would work with the Roborock app too. If it’s giving you the full decrypted traffic shouldn’t it work with Roborock too?

roopesh avatar Aug 21 '20 17:08 roopesh

i can see all tokens, i have yeelights, mi hub, aqara hub, fan

divemasterjm avatar Aug 21 '20 17:08 divemasterjm

I’m curious if this would work with the Roborock app too. If it’s giving you the full decrypted traffic shouldn’t it work with Roborock too?

No it is not, already tried that :(

Zer0x00 avatar Sep 02 '20 23:09 Zer0x00

UPDATE @2020-09-22: This method is not working anymore. The latest Mi Home App encrypted the response data of the API. It needs to do some reverse engineering with the Mi Home App to figure out how does the data decrypted in the client-side. Can anyone help with this?

I've found another ios app that can also obtain the token with the latest version of Mi Home app, and much cheaper (Free). Also NO jailbreak, NO backup, NO computer.

Here is my step:

  1. Install the Stream app: https://apps.apple.com/app/stream/id1312141691
  2. Tap HTTPS Sniffing under Settings, flow the instruction of the Stream to install and trust the CA.
  3. Force close all your background app except the Stream and the Mi Home(NOTICE: You don't need to close the Mi Home app), so we can get a clean result after a sniff.
  4. Tap Sniff Now on the top of the screen.
  5. Switch to the Mi Home app, and turn on/off arbitrary one of your devices to make sure the Mi Home app had loaded the tokens to control the devices.
  6. Switch back to the Stream app and tap Stop Sniffing, then tap Sniff History, then tap the history session which just generated.
  7. Tap the Search icon on the top right of the screen, search for the keyword of device_list_page.
  8. You may get one or two search results, tap into it. Switch the tab to Response and tap the Preview Response Body on the bottom of the screen.
  9. BOOM! You should now see a (JSON) list of your devices, including their device tokens, local IP and device id’s!

These steps work fine for now (2020/09/08), but they may fail in the future.

SaekiRaku avatar Sep 08 '20 03:09 SaekiRaku

on my experience, I can't retrive the token with the roborock app. I used both Stream and another app for sniffing packets, but no token. It's a pitty because I see the name of my device for example. I tried from LTE, not wifi. I didn't think from my wifi network can change anything... You had a great idea, for now it didn't work on my iphone8.

dreinn avatar Oct 26 '20 11:10 dreinn

arg.... I didn't switch off / on the device! I will try this evening when I return home

dreinn avatar Oct 26 '20 12:10 dreinn

Looks like they encrypt the response body now. Damn

garrettmac avatar Nov 04 '20 06:11 garrettmac

Check this script to extract from ios backup

https://github.com/LeoMartinDev/Mi-Home-token-extractor

BuSHari avatar Nov 11 '20 16:11 BuSHari

Also trough openHAB binding i had the easiest way to obtain the tokens: https://www.openhab.org/addons/bindings/miio/

BuSHari avatar Nov 12 '20 05:11 BuSHari

I tried the above method just now on MacOS 12.0.1 Monterey, and it worked like charm.

  • Cloned the repo
  • Installed nove V12

    npm install -g n sudo n i 12

  • Made a local backup (unencrypted) from my iPhone
  • Ran the token extractor

    npm i npm start

It produced a nicely colored output with IP and token.

cramsvik avatar Mar 31 '22 13:03 cramsvik

Closing old issues. There are now easier and free ways to obtain tokens.

This app needs financial support for further development and upgrade to SDK3. For more info see: https://community.homey.app/t/app-pro-xiaomi-mi-home-app-for-wifi-devices/118/943

jghaanstra avatar Feb 01 '23 13:02 jghaanstra