pieeprom-2026-01-09: 2711: Promote to the default release

* arm_loader: Apply rpifwcrypto lock permissions GET/SET USER OTP
  Previously, the GET/SET user OTP mailboxes would provide access to the
  device unique private key. Update the mailbox API to fail if the
  key has been locked via lock_device_private_key=1 in config.txt or
  the associated mailbox call.
  GET/SET user OTP fails by setting the result tag to the standard
  error code (0x80000000). The dedicate GET/SET private key continue
  to fail the entire mailbox operation to force vcmailbox to exit
  with a non-zero error code.
* cm5: Add support for 8-bit bus width eMMC
* Query all sdram devices for temperature when adjusting refresh
* Add support for more SDRAM die configurations.

.gitignore

@@ -1 +1,3 @@
 *.swp
+images-2711/
+images-2712/

firmware-2711/release-notes.md

@@ -1,5 +1,65 @@
 # Raspberry Pi4 bootloader EEPROM release notes
 
+## 2026-01-13: Promote 2026-01-09 to the default release (default)
+
+## 2026-01-09: arm_loader: Apply rpifwcrypto lock permissions GET/SET USER OTP (latest)
+
+* arm_loader: Apply rpifwcrypto lock permissions GET/SET USER OTP
+  Previously, the GET/SET user OTP mailboxes would provide access to the
+  device unique private key. Update the mailbox API to fail if the
+  key has been locked via lock_device_private_key=1 in config.txt or
+  the associated mailbox call.
+  GET/SET user OTP fails by setting the result tag to the standard
+  error code (0x80000000). The dedicate GET/SET private key continue
+  to fail the entire mailbox operation to force vcmailbox to exit
+  with a non-zero error code.
+* cm5: Add support for 8-bit bus width eMMC
+* Query all sdram devices for temperature when adjusting refresh
+* Add support for more SDRAM die configurations.
+
+## 2025-12-09: Promote 2025-12-08 to the default release (default)
+
+## 2025-12-08: arm_loader: Add machine ID derived from OTP values (latest)
+
+* arm_loader: Add machine ID derived from OTP values
+  Machine ID is generated and exposed in device tree as rpi-machine-id
+* arm_ldconfig: Avoid double os_prefix on initramfs
+  When using auto_initramfs we were picking up prefix from the kernel,
+  but also adding os_prefix later:
+  fname = prefixed_path(initramfs_file, os_prefix, temp_path, sizeof(temp_path));
+  See: https://forums.raspberrypi.com/viewtopic.php?t=394238
+* recovery: Use OTP rpiboot GPIO if non-zero
+  If an rpiboot GPIO has already been written to OTP then default to
+  that value if C(program_rpiboot_gpio) is not specified on config.txt.
+
+## 2025-11-27: helpers/config_loader: Also support bootvar0 eeprom config on Pi4 (latest)
+
+* helpers/config_loader: Also support bootvar0 eeprom config on Pi4
+  This allows an eeprom config setting (e.g. BOOTARG0=0x10) to be set on a board
+  which config.txt can use as a conditional expression (e.g. [bootarg0&0x10]).
+* pi5: Write over-voltage config to the UART log
+  Write the high level over-voltage configuration to the UART log for
+  diagnostic purposes.
+* Stop partition-walk after boot-mode timeout/retries limit
+  Fix a fatal assert with USB boot where the partition walk could be
+  retried after the USB timeout/retry limit had been reached.
+  See: https://github.com/raspberrypi/rpi-eeprom/issues/776
+* rpiboot: Extend metadata to report status of operations
+  Report success/fail status of recovery operations based on config.txt settings
+
+## 2025-11-21: recovery: Restore recovery_wait option (latest)
+
+* recovery: Restore recovery_wait option
+  Restore the recovery_wait config.txt option. If this option is set
+  then recovery.bin will not rename itself or reboot. Instead flash
+  the activity LED on completion.
+  This option can be useful when creating an SD card to erase the
+  EEPROM or program the RPIBOOT gpio on multiple devices.
+  If recovery_wait=1 and recovery.bin is run from the SD card then
+  indicate success of erase_eeprom=1 or program_rpiboot_gpio=N was
+  set instead of requiring the EEPROM to be updated.
+* Manufacture test updates for SDRAM.
+
 ## 2025-11-09: Promote 2025-11-05 to the default release (default)
 
 ## 2025-11-05: Add iommu_dma_numa_policy=interleave when needed (latest)

firmware-2712/release-notes.md

@@ -1,5 +1,47 @@
 # Raspberry Pi5 bootloader EEPROM release notes
 
+## 2025-12-09: Promote 2025-12-08 to the default release (default)
+
+## 2025-12-08: arm_loader: Add machine ID derived from OTP values (latest)
+
+* arm_loader: Add machine ID derived from OTP values
+  Machine ID is generated and exposed in device tree as rpi-machine-id
+* arm_ldconfig: Avoid double os_prefix on initramfs
+  When using auto_initramfs we were picking up prefix from the kernel,
+  but also adding os_prefix later:
+  fname = prefixed_path(initramfs_file, os_prefix, temp_path, sizeof(temp_path));
+  See: https://forums.raspberrypi.com/viewtopic.php?t=394238
+
+## 2025-11-27: Stop partition-walk after boot-mode timeout/retries limit (latest)
+
+* pi5: Write over-voltage config to the UART log
+  Write the high level over-voltage configuration to the UART log for
+  diagnostic purposes.
+* Stop partition-walk after boot-mode timeout/retries limit
+  Fix a fatal assert with USB boot where the partition walk could be
+  retried after the USB timeout/retry limit had been reached.
+  See: https://github.com/raspberrypi/rpi-eeprom/issues/776
+* rpiboot: Extend metadata to report status of operations
+  Report success/fail status of recovery operations based on config.txt settings
+
+## 2025-11-21: Allow longer overlay file paths (latest)
+
+* recovery: Restore recovery_wait option
+  Restore the recovery_wait config.txt option. If this option is set
+  then recovery.bin will not rename itself or reboot. Instead flash
+  the activity LED on completion.
+  This option can be useful when creating an SD card to erase the
+  EEPROM or program the RPIBOOT gpio on multiple devices.
+  If recovery_wait=1 and recovery.bin is run from the SD card then
+  indicate success of erase_eeprom=1 or program_rpiboot_gpio=N was
+  set instead of requiring the EEPROM to be updated.
+* Load RP1 firmware whilst DDR is initialising
+* Allow longer overlay file paths
+  load_dtoverlay uses the variable "filename" to hold the full path to an
+  overlay. As such it should be declared using LDFILEPATH_MAX, not
+  LDFILENAME_MAX.
+  See: https://github.com/raspberrypi/firmware/issues/2004
+
 ## 2025-11-09: Promote 2025-11-05 to the default release (default)
 
 ## 2025-11-05: arm_loader: Add iommu_dma_numa_policy=interleave when needed (latest)

imager/make-imager-release

@@ -1,11 +1,22 @@
 #!/bin/sh
 
 set -e
+set -x
 
 script_dir=$(cd "$(dirname "$0")" && pwd)
+base_dir="${script_dir}/.."
 
 # Pi4, Pi400, CM4, CM4-S
-${script_dir}/make-release critical 2025-11-05 000138c0 "${script_dir}/2711-config" release-2711 rpi-boot-eeprom-recovery 2711
+image_date=$(ls -lr $base_dir/firmware-2711/default/ | grep pieeprom | sed 's/.*pieeprom-//g' | sed 's/.bin//g' | head -n1)
+${script_dir}/make-release critical ${image_date} 000138c0 "${script_dir}/2711-config" release-2711 rpi-boot-eeprom-recovery 2711
 
 # Pi5
-${script_dir}/make-release critical 2025-11-05 "" "${script_dir}/2712-config" release-2712 rpi-boot-eeprom-recovery 2712
+image_date=$(ls -lr $base_dir/firmware-2712/default/ | grep pieeprom | sed 's/.*pieeprom-//g' | sed 's/.bin//g' | head -n1)
+${script_dir}/make-release critical ${image_date} "" "${script_dir}/2712-config" release-2712 rpi-boot-eeprom-recovery 2712
+
+# Convert to disk image for RPi Imager downloads
+sudo ${script_dir}/make-recovery-images
+
+# Delete the plain .zip files. These should not be uploaded as releases.
+rm -rf release-2711
+rm -rf release-2712

imager/make-pi4-rpiboot-gpio-sd

@@ -0,0 +1,134 @@
+#!/bin/sh
+
+set -e
+
+script_dir=$(cd "$(dirname "$0")" && pwd)
+TMP_DIR=""
+
+die() {
+   echo "$@" >&2
+   exit 1
+}
+
+cleanup() {
+   if [ -d "${TMP_DIR}" ]; then
+      rm -rf "${TMP_DIR}"
+   fi
+}
+
+usage() {
+cat <<EOF
+Usage:
+sudo $(basename $0): <gpio_num>
+
+	Creates an SD card image which programs the OTP on a Pi 4B or Pi 400
+	to select a GPIO on the 40-pin header for use as the rpiboot GPIO.
+	Once programmed, if this GPIO is pulled to ground at power on, the
+	SoC bootrom will boot into rpiboot provisioning mode.
+
+	This setting _permanently_ modifies the device configuration - it cannot
+	be undone or changed, ever.
+
+	The SD image will be written to images-2711/pi4-program-rpiboot-gpioN.zip,
+	where N is the number of the chosen GPIO, and can be flashed using
+	Raspberry Pi Imager to a spare SD card. As with programming the bootloader
+	EEPROM, insert the card in the Raspberry Pi, power on and wait for the
+	green LED to flash.
+
+	gpio_num: Select the rpiboot GPIO number from 2,4,5,6,7 or 8.
+EOF
+    exit 1
+}
+
+trap cleanup EXIT
+
+[ "$(id -u)" = "0" ] || die "$(basename $0) must be run as root"
+[ -n "${SUDO_UID}" ] || die "SUDO_UID not defined"
+[ -n "${SUDO_GID}" ] || die "SUDO_GID not defined"
+
+build_image()
+{
+   chip="${1}"
+   gpio="${2}"
+   img="pi4-program-rpiboot-gpio${gpio}"
+   zip="${img}.zip"
+   img="${img}.img"
+
+   TMP_DIR="$(mktemp -d)"
+   (
+      mkdir "${TMP_DIR}/files"
+      cd "${TMP_DIR}/files"
+      cp "${script_dir}/../firmware-${chip}/latest/recovery.bin" .
+   cat <<EOF > config.txt
+uart_2ndstage=1
+recovery_wait=1
+program_rpiboot_gpio=${gpio}
+EOF
+      echo "Generated config.txt file"
+      cat config.txt
+      cd "${TMP_DIR}"
+      dd if=/dev/zero bs=1M count=258 of=temp.img > /dev/null 2>&1
+      /sbin/sfdisk temp.img <<EOF
+label: dos
+label-id: 0x0a7b5ac5
+device: temp.img
+unit: sectors
+
+./test.img1 : start=        2048, size=       524288, type=c
+EOF
+      file temp.img
+      LOOP="/dev/mapper/$(kpartx -lv temp.img | head -n1 | awk '{print $1}')"
+      kpartx -a temp.img
+      /sbin/mkfs.fat -F 32 -s 1 "${LOOP}" > /dev/null
+      mkdir fs
+      mount "${LOOP}" fs
+      cp -v files/* fs
+      sync
+      sleep 5
+      umount fs
+      # Delay before calling kpartx otherwise it's sometimes possible to get orphaned loopback devices
+      sleep 5
+      kpartx -d temp.img
+   )
+   image_dir="images-${chip}"
+   mkdir -p "${image_dir}"
+   chown "${SUDO_UID}:${SUDO_GID}" "${image_dir}"
+   mv "${TMP_DIR}/temp.img" "${image_dir}/${img}"
+   file "${image_dir}/${img}"
+   cd "${image_dir}"
+   zip "${zip}" "${img}"
+   cd ..
+   rm "${image_dir}/${img}"
+   chown "${SUDO_UID}:${SUDO_GID}" "${image_dir}/${zip}"
+   echo "Wrote $(pwd)/${image_dir}/${zip}"
+}
+
+
+if ! command -v kpartx > /dev/null; then
+   die "kpartx not found: Try installing the kpartx package"
+fi
+
+[ -n "${1}" ] || usage
+gpio_num="$1"
+
+case "${gpio_num}" in
+   	2)
+		;;
+	4)
+		;;
+	5)
+		;;
+	6)
+		;;
+	7)
+		;;
+	8)
+		;;
+        *)
+		echo "GPIO ${gpio_num} is not supported"
+		echo
+  	  usage
+	  	;;
+esac
+
+build_image 2711 "${gpio_num}"

rpi-eeprom-config

@@ -117,12 +117,12 @@ def shell_cmd(args, timeout=10, echo=False):
     error occurs then exit and output the subprocess stdout, stderr messages
     for debug.
     """
-    start = time.time()
+    start = time.monotonic()
     arg_str = ' '.join(args)
     bufsize = 0 if echo else -1
     result = subprocess.Popen(args, bufsize=bufsize, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
 
-    while time.time() - start < timeout:
+    while time.monotonic() - start < timeout:
         if echo:
             s = result.stdout.read(80).decode('utf-8')
             if s != "":
@@ -260,8 +260,8 @@ class BootloaderImage(object):
 
         self._image_size = len(self._bytes)
         if self._image_size not in VALID_IMAGE_SIZES:
-            exit_error("%s: Expected size %d bytes actual size %d bytes" %
-                       (filename, self._image_size, len(self._bytes)))
+            exit_error("%s: Expected sizes %s bytes, got actual size %d bytes" %
+                       (filename, VALID_IMAGE_SIZES, self._image_size))
         self.parse()
 
     def parse(self):