ya that. exactly.
that would be the only way I would know of.
sorry i misunderstood. you could use the qubes keyboard proxy. or unhide it from dom0. think they are both explained in the docs there, but don't think either are recommended but if you have no choice.
*) Undoing the sys-usb commands.
From my understanding, the reason the two commands
qubesctl top.enable qvm.sys-usb and qubesctl state.highstate
are so hard to undo, is because it's meant to be hack-proof, and it will cause the sys-usb to be automatically restoed again to its default state. Further reading if you're curious: https://github.com/QubesOS/qubes-issues/issues/2157
In order to easily undo it, I believe you may be able to edit /srv/salt/_tops/base/topd.top
Remove the sys-usb line in the file, don't change anything else.
Be warned, I haven't done this before, it's hypothetical whether it works.
To my knowledge, the first command not only enables the preconfigured sys-usb, it also push the sys-usb into the salt file (the top part of the command. The second command apparently enables the salt feature for whichever VM is in the list (default enabled in Qubes 4). If sys-usb is removed from the file, it should supposedly be outside salts protection area.
Now try restart, if everything went well (hopefully), it should be back to normal, and USB should be found by Dom0 again. You don't need to disable sys-usb, as long as it doesn't autostart (which we at this point fixed).
Keep in mind that the /var/lib/qubes/qubes.xml file may have changed in Qubes 4 compared to Qubes 3.2. Also SALT should be by default enabled in Qubes 4, so you might encounter this kind of memory protection thing in other areas in Qubes 4 in the future.
Everything here is edited through plain text files, you do not need chroot or anything of the sorts. As long as you can open up your encrypted drives, and gain read/Write access, have a text editor you can use, you're basically set.
Keep in mind, I'm not an expert. Be sure to make backups or at the very least backup/memorize what you did to the single file you changed, so you can reverse it, should it be needed.
In my case I had assigned a network card/controller to the Sys-Net VM, which Qubes hated so much compatibility-wise that it subsequently refused to boot altogether, simply because attempt to initialize that net card caused such catastrophic failure on startup that the entire OS became non-startable.
However, since devices assigned to VM's have specific serial identifiers that Qubes is looking for on bootup to assign to chosen VM, and since Qubes was in this case itself installed on a flash drive, it stood to reason that by simply booting it on a completely different laptop which did not have that relevant network card and serial number present, Qubes would simply ignore the requested assignment and boot normally, with no network card (not even the one in the second laptop) assigned to Sys-net upon boot completion. And this is exactly what happened.
From there, with system successfully booted on second laptop without problem card, it is/was still necessary to use Qubes Manager to graphically edit settings for that Sys-net VM, and look in its list of assigned devices, which *appears* empty but is not really (because a non-present device is still assigned to it "invisibly"). Because of this, it was needed to click the "unassign all" button (two arrows pointing left: << ) and then save settings, so that even non-visible/present devices (the problem card) became unassigned to that Sys-Net VM.
After that, I shut down and placed Qubes flash drive back in original laptop, booted, and everything worked fine. Problem network card was back to Dom0 and not assigned to Sys-Net, and all worked fine (with no networking, obviously, but still usable system).
This approach may or may not work for de-assigning USB controller from USB-VM, since when booted on a different laptop, that specific USB controller won't be found, and the assign request will be ignored, and you can unassign-all-devices from USB-VM on that second laptop, before shutting down and then booting again on original machine.
Like I said, possibly this tactic won't work for some unpredictable reason, but it worked in my case when network card was the "accidentally" assigned device causing non-startable system.