diff --git a/firmware-2711/latest/pieeprom-2024-04-17.bin b/firmware-2711/latest/pieeprom-2024-04-17.bin
new file mode 100644
index 0000000..c937189
Binary files /dev/null and b/firmware-2711/latest/pieeprom-2024-04-17.bin differ
diff --git a/firmware-2711/latest/recovery.bin b/firmware-2711/latest/recovery.bin
index 9159762..189e23b 100644
Binary files a/firmware-2711/latest/recovery.bin and b/firmware-2711/latest/recovery.bin differ
diff --git a/firmware-2711/release-notes.md b/firmware-2711/release-notes.md
index b85a2c6..0019f9c 100644
--- a/firmware-2711/release-notes.md
+++ b/firmware-2711/release-notes.md
@@ -1,5 +1,15 @@
 # Raspberry Pi4 bootloader EEPROM release notes
 
+## 2024-04-17 - Build Pi4 firmware from the mainline branch - STABLE
+  * Switch to building the Pi4 firmware from the common Pi4/Pi5
+    mainline release. This doesn't change the Pi4 features
+    but should make it quicker to release bug fixes in common code.
+  * Fix issue that caused the TRYBOOT flag to be lost in secure-boot mode.
+  * dtoverlay: Use %u when converting u32s to strings
+     See: https://github.com/raspberrypi/linux/issues/6039
+  * Improved debug messages for secure-boot.
+  * Generate the bootloader diagnostics qrcode at run time.
+
 ## 2024-04-15 - Fix tryboot mode in secure-boot - DEFAULT
    * Promote the secure-boot fix to the DEFAULT release.
 
diff --git a/firmware-2712/default/pieeprom-2024-04-17.bin b/firmware-2712/default/pieeprom-2024-04-17.bin
new file mode 100644
index 0000000..0ee1849
Binary files /dev/null and b/firmware-2712/default/pieeprom-2024-04-17.bin differ
diff --git a/firmware-2712/default/recovery.bin b/firmware-2712/default/recovery.bin
index 427942a..5f8c484 100644
Binary files a/firmware-2712/default/recovery.bin and b/firmware-2712/default/recovery.bin differ
diff --git a/firmware-2712/latest/pieeprom-2024-04-17.bin b/firmware-2712/latest/pieeprom-2024-04-17.bin
new file mode 100644
index 0000000..0ee1849
Binary files /dev/null and b/firmware-2712/latest/pieeprom-2024-04-17.bin differ
diff --git a/firmware-2712/latest/pieeprom-2024-04-18.bin b/firmware-2712/latest/pieeprom-2024-04-18.bin
new file mode 100644
index 0000000..21938c4
Binary files /dev/null and b/firmware-2712/latest/pieeprom-2024-04-18.bin differ
diff --git a/firmware-2712/latest/recovery.bin b/firmware-2712/latest/recovery.bin
index c85ba28..5f8c484 100644
Binary files a/firmware-2712/latest/recovery.bin and b/firmware-2712/latest/recovery.bin differ
diff --git a/firmware-2712/release-notes.md b/firmware-2712/release-notes.md
index 9deaca2..bf9721c 100644
--- a/firmware-2712/release-notes.md
+++ b/firmware-2712/release-notes.md
@@ -1,5 +1,22 @@
 # Raspberry Pi5 bootloader EEPROM release notes
 
+2024-04-18: Promote the 2024-04-17 release to the default release (default) (automatic update)
+* Select pieeprom-2024-04-17.bin to be the new default release and bump the
+  automatic update minimum version to this.
+
+2024-04-18: Update RP1 firmware to extend PCIe L1 entry timeout to 32 us (latest)
+* Extend PCIe L1 entry timeout to 32us
+  Fix xhci soft reset on link-down
+  Set useful xhci compatibility bits in GUCTL
+  See https://github.com/raspberrypi/firmware/issues/1877
+
+2024-04-17: Fix TRYBOOT flag in secure-boot mode (latest)
+* Fix issue that caused the TRYBOOT flag to be lost in secure-boot mode.
+* dtoverlay: Use %u when converting u32s to strings
+   See: https://github.com/raspberrypi/linux/issues/6039
+* Improved debug messages for secure-boot.
+* Generate the bootloader diagnostics qrcode at run time.
+
 2024-04-05: HAT+ fixes for max-current, custom CA cert for net install and enable over-clocking to > 3GHz (latest)
 * bootloader: clock_2712: Remove restriction on arm_freq <= 3000
   See: https://github.com/raspberrypi/firmware/issues/1876
diff --git a/imager/make-imager-release b/imager/make-imager-release
index 5b65a3e..110d4bc 100755
--- a/imager/make-imager-release
+++ b/imager/make-imager-release
@@ -8,4 +8,4 @@ script_dir=$(cd "$(dirname "$0")" && pwd)
 ${script_dir}/make-release critical 2023-01-11 000138c0 "${script_dir}/2711-config" release-2711 rpi-boot-eeprom-recovery 2711
 
 # Pi5
-${script_dir}/make-release critical 2024-02-16 "" "${script_dir}/2712-config" release-2712 rpi-boot-eeprom-recovery 2712
+${script_dir}/make-release critical 2024-04-17 "" "${script_dir}/2712-config" release-2712 rpi-boot-eeprom-recovery 2712
diff --git a/rpi-eeprom-config b/rpi-eeprom-config
index 8ba5fb3..8b985d8 100755
--- a/rpi-eeprom-config
+++ b/rpi-eeprom-config
@@ -463,6 +463,7 @@ class BootloaderImage(object):
                 sys.stdout.write(config_bytes)
 
 def main():
+    global DEBUG
     """
     Utility for reading and writing the configuration file in the
     Raspberry Pi bootloader EEPROM image.
@@ -510,7 +511,7 @@ Operating modes:
    The configuration file will be taken from:
        * The blconfig reserved memory nvmem device
        * The cached bootloader configuration 'vcgencmd bootloader_config'
-       * The current pending update - typically /boot/pieeprom.upd
+       * The current pending update - typically /boot/firmware/pieeprom.upd
 
    sudo -E rpi-eeprom-config --edit [pieeprom.bin]
 
@@ -524,8 +525,7 @@ Operating modes:
    the corresponding RSA public key.
 
    Requires Python Cryptodomex libraries and OpenSSL. To install on Raspberry Pi OS run:-
-   sudo apt install openssl python-pip
-   sudo python3 -m pip install cryptodomex
+   sudo apt install python3-pycryptodome
 
    rpi-eeprom-digest -k private.pem -i bootconf.txt -o bootconf.sig
    rpi-eeprom-config --config bootconf.txt --digest bootconf.sig --pubkey public.pem --out pieeprom-signed.bin pieeprom.bin
@@ -543,14 +543,16 @@ See 'rpi-eeprom-update -h' for more information about the available EEPROM image
     parser.add_argument('-c', '--config', help='Name of bootloader configuration file', required=False)
     parser.add_argument('-e', '--edit', action='store_true', default=False, help='Edit the current EEPROM config')
     parser.add_argument('-o', '--out', help='Name of output file', required=False)
-    parser.add_argument('-d', '--digest', help='Signed boot only. The name of the .sig file generated by rpi-eeprom-dgst for config.txt ', required=False)
+    parser.add_argument('-d', '--digest', help='Signed boot only. The name of the .sig file generated by rpi-eeprom-digest for config.txt ', required=False)
     parser.add_argument('-p', '--pubkey', help='Signed boot only. The name of the RSA public key file to store in the EEPROM', required=False)
     parser.add_argument('-x', '--extract', action='store_true', default=False, help='Extract the modifiable files (boot.conf, pubkey, signature)', required=False)
     parser.add_argument('-b', '--bootcode', help='Signed boot 2712 only. The name of the customer signed bootcode.bin file to store in the EEPROM', required=False)
     parser.add_argument('-t', '--timestamp', help='Set the timestamp in the EEPROM image file', required=False)
     parser.add_argument('--cacertder', help='The name of a CA Certificate DER encoded file to store in the EEPROM', required=False)
+    parser.add_argument('--debug', help='Debug logging for this tool', action='store_true', required=False)
     parser.add_argument('eeprom', nargs='?', help='Name of EEPROM file to use as input')
     args = parser.parse_args()
+    DEBUG = args.debug
 
     if (args.edit or args.apply is not None) and os.getuid() != 0:
         exit_error("--edit/--apply must be run as root")
@@ -571,10 +573,15 @@ See 'rpi-eeprom-update -h' for more information about the available EEPROM image
         image = BootloaderImage(args.eeprom, args.out)
         if args.timestamp is not None:
             image.set_timestamp(args.timestamp)
+
         if args.bootcode is not None:
             image.update_file(args.bootcode, BOOTCODE_BIN)
-            image.write()
-        elif args.config is not None:
+
+        if args.cacertder is not None:
+            image.update_file(args.cacertder, CACERT_DER)
+
+        if args.config is not None:
+            # The public key, EEPROM config and signature should be set together
             if not os.path.exists(args.config):
                 exit_error("config file '%s' not found" % args.config)
             image.update_file(args.config, BOOTCONF_TXT)
@@ -582,10 +589,9 @@ See 'rpi-eeprom-update -h' for more information about the available EEPROM image
                 image.update_file(args.digest, BOOTCONF_SIG)
             if args.pubkey is not None:
                 image.update_key(args.pubkey, PUBKEY_BIN)
-            if args.cacertder is not None:
-                image.update_file(args.cacertder, CACERT_DER)
-            image.write()
-        elif args.config is None and args.timestamp is not None:
+
+        if args.config is not None or args.timestamp is not None or args.bootcode is not None or args.cacertder is not None:
+            debug("Writing image")
             image.write()
         else:
             image.read()
diff --git a/rpi-eeprom-update b/rpi-eeprom-update
index 2e1cbc4..13f1535 100755
--- a/rpi-eeprom-update
+++ b/rpi-eeprom-update
@@ -400,7 +400,7 @@ checkDependencies() {
    elif [ $(((0x$BOARD_INFO >> 12) & 15)) = 4 ]; then
       BCM_CHIP=2712
       EEPROM_SIZE=2097152
-      BOOTLOADER_AUTO_UPDATE_MIN_VERSION="${BOOTLOADER_AUTO_UPDATE_MIN_VERSION:-1704470260}"
+      BOOTLOADER_AUTO_UPDATE_MIN_VERSION="${BOOTLOADER_AUTO_UPDATE_MIN_VERSION:-1713358463}"
       SPIDEV=/dev/spidev10.0
       # Default is to use flashrom if availableon BCM2712
       RPI_EEPROM_USE_FLASHROM=${RPI_EEPROM_USE_FLASHROM:-1}