Apple

Finding a lost Apple Pencil using sysdiagnose

Anton Huck

5 min read
Finding a lost Apple Pencil using sysdiagnose
Photo by Volodymyr Hryshchenko / Unsplash

I've always been a fan of Apple's iCloud Find My. Not only because I tend to misplace my keys or my Phone but the overall experience of the ecosystem. But lastly I had to learn the limitations the hard way. You can't use Find My for all Apple devices and they excluded one of the probably most lost devices: The Apple Pencil. I had to be creative to come up with an approximation, where to find a lost one. Read about it in this post.

The Mission

A few days back my sister told me that she lost her Apple Pencil at the University. My naive answer was (being the Find My guy): check the Find My App and you should see the last location. Unfortunately she couldn't find the Pencil in her app. Double-checking the Find My landing page she seems to be right - Apple Pencil is not supported by the app.

My first thoughts were: well, it's almost Christmas, but my second thought was about helping to find her belonging.

There are at least the following approaches to find a lost Bluetooth device:
1. Searching where it got lost
2. (paid) Apps
3. Try Bluetooth pairing (maybe the device is still around)
4. Digging through logs

In this post I'll discuss all of them but will focus on the last one.

The Discovery

Let's start with the obvious one: Searching where it was lost.

My sister was pretty sure that she left her Pencil at the University. It was the obvious guess: she used it there the day before and it was the last time she saw it. After calling back and forth everybody around that class room she finally gave up and admitted the loss.

The next day she got some new hope and searched Google for a way to uncover the last location. And you guessed it - Google is full of Ads for Bluetooth tracking Apps which claim to be the best around. They will notify you on a potential leave behind of a tracked peripheral. Well, it's working as long as you're "planning ahead" but none of them will recover the last seen location of an already lost device. What a bummer.

Later that day she approached me with the sad news - so I did the same: Searching the web. My first hits were some geek-websites suggesting "walking around" and wait for a connection - expecting their audience not leaving their home and therefore losing stuff in a bluetooth range. The rest of the results was pretty much the same as already discussed earlier.

The Improvisation

As I worked in IT support / Systems Engineering quite some time - one of the first things that I tend to do when anything is broken or lost is checking the logs (or more broadly any of the three pillars). Usually you can just connect your iPhone to your Mac, trust the computer and use the Console.App to search trough the logs.

Well, getting the logs of an iPad OS running device that is not anywhere around (my sister is not that tech-savvy and living some hundred kilometers away) turned out to be more tricky than just plugging in and using the Mac Console. Luckily the Apple developer forums are not that extensive but clear enough to learn about sysdiagnose.

For my devices running the latest iOS 15 it was straight forward to trigger a sysdiagnose snapshot, holding all physical keys for a few milliseconds:

[Volume Up] + [Volume Down] + [Power]

It's really less than a second - don't expect any feedback (sometimes you hit a screenshot).

Then there is a crucial part for all of us impatient people: Wait a minute or two! You will be rewarded with an archive of significant size to explore. Find it in the privacy settings:

Find the sysdiagnose archive on your iPhone or iPad

Notice the timestamp? - Click on the latest report and share it to your Mac - I had to use iCloud as AirDrop was no option due to the distance.

Once the archive is loaded to your Mac - unpack (double click does the Apple-Magic!). Let's have a look what's in there:

sysdiagnose archive contents

That's sweet - a bunch of diagnostic reports to dig through. Take your time and look around on your own. Spoiler: for our next step the logs folder won't be as helpful as I initially expected.

The Final Sprint

I probably did the same as you, clicking through all the folders and peeking into the files. After playing around with grep, the system_logs.logarchive surfaced as the most promissing with a lot of hits for the keyword Apple Pencil :

grep -irFe "Apple Pencil"

But how to read these binary files? Obviously you can load them into the Built-in Mac tool "Console" (it has nothing to do with the terminal, it's rather a tool to read the logs from the Mac or connected Apple Devices). For whatever reason the imported archive did not show up any Apple Pencil matches within the Console although grep found something.

Last but not least I found the log command which is also delivered out of the box and presumably the CLI for the Console:

Great! Let's put it together and find the lost Apple Pencil:

log show --archive system_logs.logarchive | grep -iF "Apple Pencil"

At this point look for pattern changes. You should see disconnect, power found and loss events - these events will hint you the last-seen-time.

Unfortunately this approach won't give you a location, but you will give a quite accurate timestamp when to look back for it. In the case of my sister we were able to combine the timestamp with her Google Maps Location History and pinpoint the loss-location. To both of our surprise it wasn't the University but hours later at a public parking lot.

Even if you don't have Google Location History you might be able to pinpoint the location, too - look at your chats, emails, calls & be creative! But if you do have Google Maps Location History - be curious about the upcoming posts where I will go through the Location History and use Google Takeout to get a better understanding what Google is saving about you.