diff --git a/.gitmodules b/.gitmodules
index 344f3c4..96b4128 100644
--- a/.gitmodules
+++ b/.gitmodules
@@ -1,3 +1,15 @@
 [submodule "tools/rtl_tcp_andro"]
 	path = tools/rtl_tcp_andro
 	url = https://github.com/signalwareltd/rtl_tcp_andro-.git
+[submodule "tools/monmob"]
+	path = tools/monmob
+	url = https://github.com/tuter/monmob.git
+[submodule "tools/P4wnP1"]
+	path = tools/P4wnP1
+	url = https://github.com/RoganDawes/P4wnP1.git
+[submodule "tools/dustcloud-nexmon"]
+	path = tools/dustcloud-nexmon
+	url = https://github.com/dgiese/dustcloud-nexmon.git
+[submodule "tools/internalblue"]
+	path = tools/internalblue
+	url = https://github.com/seemoo-lab/internalblue.git
diff --git a/BUILDING_MODULES.md b/BUILDING_MODULES.md
index 7ffe544..5e0a041 100644
--- a/BUILDING_MODULES.md
+++ b/BUILDING_MODULES.md
@@ -183,6 +183,49 @@ pkg install -y clinfo opencl-headers
 clinfo  # Should show PowerVR device
 ```
 
+## Included Reference Projects
+
+These are included as submodules in `tools/` to give you a starting point
+for building custom drivers and firmware. Clone with `--recurse-submodules`
+to get them.
+
+### monmob — WiFi Monitor Mode on Android
+- **Path**: `tools/monmob`
+- **Repo**: https://github.com/tuter/monmob
+- **What**: Enables WiFi monitor mode on mobile devices. Useful reference
+  for getting monitor mode working on Broadcom chips without full nexmon.
+
+### P4wnP1 — USB Attack Platform
+- **Path**: `tools/P4wnP1`
+- **Repo**: https://github.com/RoganDawes/P4wnP1
+- **What**: Turns devices into a flexible USB attack/pentest platform.
+  HID injection, network attacks via USB gadget, Bluetooth. Good reference
+  for USB gadget mode drivers and HID attack payloads on Android.
+
+### dustcloud-nexmon — Nexmon for Broadcom Chips
+- **Path**: `tools/dustcloud-nexmon`
+- **Repo**: https://github.com/dgiese/dustcloud-nexmon
+- **What**: Nexmon firmware patches adapted for various Broadcom WiFi chips.
+  Reference for porting nexmon to new chips like the BCM4390.
+
+### InternalBlue — Bluetooth Firmware Patching
+- **Path**: `tools/internalblue`
+- **Repo**: https://github.com/seemoo-lab/internalblue
+- **What**: Bluetooth experimentation framework from the Seemoo Lab
+  (same team behind nexmon). Patches Broadcom/Cypress and some Qualcomm
+  Bluetooth firmware for security research. Supports:
+  - Raw HCI access and LMP monitoring
+  - Firmware patching on Broadcom BT chips
+  - Fuzzing and security testing
+  - Works on Android with root (KernelSU)
+
+### rtl_tcp_andro — RTL-SDR + HackRF Android Driver
+- **Path**: `tools/rtl_tcp_andro`
+- **Repo**: https://github.com/signalwareltd/rtl_tcp_andro-
+- **What**: Native Android USB driver for RTL-SDR and HackRF. Implements
+  the rtl_tcp protocol via `iqsrc://` intent. Build the APK and any SDR
+  app on Android can use your USB SDR hardware without root.
+
 ## Kernel Module Loading via KernelSU
 
 KernelSU supports loading `.ko` files. Place them in:
diff --git a/tools/P4wnP1 b/tools/P4wnP1
new file mode 160000
index 0000000..9c8cc09
--- /dev/null
+++ b/tools/P4wnP1
@@ -0,0 +1 @@
+Subproject commit 9c8cc09a6503f10309c04310c3bba9c07caab8b7
diff --git a/tools/dustcloud-nexmon b/tools/dustcloud-nexmon
new file mode 160000
index 0000000..6d3ee49
--- /dev/null
+++ b/tools/dustcloud-nexmon
@@ -0,0 +1 @@
+Subproject commit 6d3ee499d27d132bc42653a24da2c586d9838ef6
diff --git a/tools/internalblue b/tools/internalblue
new file mode 160000
index 0000000..f524380
--- /dev/null
+++ b/tools/internalblue
@@ -0,0 +1 @@
+Subproject commit f524380672564dc4869f3d9a6cbcdeaf5b8a6b85
diff --git a/tools/monmob b/tools/monmob
new file mode 160000
index 0000000..e16df37
--- /dev/null
+++ b/tools/monmob
@@ -0,0 +1 @@
+Subproject commit e16df370da7ff4236e985b456ab5b6fe1345c221