diff --git a/firmware-2711/latest/pieeprom-2026-01-09.bin b/firmware-2711/latest/pieeprom-2026-01-09.bin
new file mode 100644
index 0000000..7f9ce3a
Binary files /dev/null and b/firmware-2711/latest/pieeprom-2026-01-09.bin differ
diff --git a/firmware-2711/latest/recovery.bin b/firmware-2711/latest/recovery.bin
index e26752a..a7cc39c 100644
Binary files a/firmware-2711/latest/recovery.bin and b/firmware-2711/latest/recovery.bin differ
diff --git a/firmware-2711/release-notes.md b/firmware-2711/release-notes.md
index 7597b38..daf5773 100644
--- a/firmware-2711/release-notes.md
+++ b/firmware-2711/release-notes.md
@@ -1,5 +1,20 @@
 # Raspberry Pi4 bootloader EEPROM release notes
 
+## 2026-01-09: arm_loader: Apply rpifwcrypto lock permissions GET/SET USER OTP (latest)
+
+* arm_loader: Apply rpifwcrypto lock permissions GET/SET USER OTP
+  Previously, the GET/SET user OTP mailboxes would provide access to the
+  device unique private key. Update the mailbox API to fail if the
+  key has been locked via lock_device_private_key=1 in config.txt or
+  the associated mailbox call.
+  GET/SET user OTP fails by setting the result tag to the standard
+  error code (0x80000000). The dedicate GET/SET private key continue
+  to fail the entire mailbox operation to force vcmailbox to exit
+  with a non-zero error code.
+* cm5: Add support for 8-bit bus width eMMC
+* Query all sdram devices for temperature when adjusting refresh
+* Add support for more SDRAM die configurations.
+
 ## 2025-12-09: Promote 2025-12-08 to the default release (default)
 
 ## 2025-12-08: arm_loader: Add machine ID derived from OTP values (latest)