Instructions here: http://opdecirkel.wordpress.com/2012/03/18/yareftpt/
  Init ver(0.1) : Worked only for OTA1 and only if the /system partition was automatically mounted in recovery
Update (0.2): Using signed update to get /system partition mounted, worked for OTA1, not for OTA2 since ADBD is without ro.kernel.qemu mode.
Update (0.3): Remove dependency on ro.kernel.qemu and use "command injection" instead, works for both OTA1, and OTA2 (has problems with installing root tools after rooting)
Update (0.4): Do not use "mv" across file systems, and get root tools (su, Superuser.apk) installed properly
Please report if you have issues.

Those who tired 0.2, it is possible that you still have "ro.kernel.qemu=1" in /data/local.prop.
delete the file or truncate it with  echo > /data/local.prop, when prop is there your tablet will behave erratically.

FAQ
-----------------------------------------------
Q0: Does it work with my update version and region?
A: It should work with any OTA1, OTA2.x, please report if doesn't. ..... Don't even think about touching the screen where "Mobility Manager" app is laying.

Q1. Can i use ThinkPadTablet_A310_02_0024_0060_US.zip even if my region is different?
A: Use any version that the signature check will pass and version compatibility check will fail. The purpose of "installing---failing" update is to mount /system partition in recovery mode. The best candidate is the oldest available lenovo signed update.

Q2: Do I need Android SDK?
A: On Win, no. On Linux yes. (all you need is explained in the blogpost)


Q3: Is it possible to brick the tablet running the exploit?
A: This exploit does not touch parts of the system that would brick the tablet. However, there are always chances that something bad can happen.
If you want to know what are you doing exactly by running the exploit, study the scripts ....  knowledge is power


Q4: Rooting does not work for you,, please post here:
1) the version of the firmware you are running (including the region),
2) the output (&errors) you got when executing the script
3) go to recovery (do not run.sh or run.bat). While in recovery (after "installing" the failing update AND wiping out cache partition), do
adb shell
when you get the shell prompt ($)
/system/bin/mount
and post the output. (if system partition is not mounted in rw, rooting wont work)

/system/bin/cat /system/etc/install-recovery.shand post the output.

/system/bin/ls -l /cache/system/bin/ls -l /cache/recovery/system/bin/ls -l /tmp/recovery.log
and post the output.





===========================
UPDATE:

I am glad that many of you succeeded to root their tablet.
However, some did not. But i do not have much feedback (except from two or three).
If you want me to fix the script, please post your failures you are getting.

1. You have to follow the instructions carefully, every step is important and the timing too(when which step is applied)
2. if you get 'Device not found', make sure that development mode is enabled: Reboot in normal mode, and check that [Settings->Applications->Developmnet->USB Debugging] is enabled. Then start the rooting procedure from the beginning.
3. if you get - exec '/system/bin/sh' failed: No such file or directory (2) -, do not continue. When you were applying the OLD update (step 5) was not successful. Do not continue. But, reboot your tablet (again in recovery), and rerun run.bat and follow the instructions carefully.
4. on the step: /cache/recovery/pwn/su, if you get '#', your tablet is already rooted. If not, do not continue, try the procedure once more.
5. when you are running pwn-in.sh (in adb shell), some of the commands will fail, but that is ok. The most important is: after the script is done, do the following:
ls -l /system/xbin/su
if it is there, check:
ls -l /system/app/Superuser.apk
if ok:
ls -l /system/xbin/busybox

If all three files are there, the rooting is complete,
5. if not, try to execute manually:
cat /data/local/pwn/su > /system/xbin/su
ln -s /system/xbin/su /system/bin/su
chown root /system/xbin/su
chmod 6755 /system/xbin/su
cat /data/local/pwn/Superuser.apk > /system/app/Superuser.apk
cat /data/local/pwn/busybox > /system/xbin/busybox
chmod 755 /system/xbin/busybox
/system/xbin/busybox --install /system/xbin/

cat /data/local/pwn-bak/install-recovery.sh.orig > /system/etc/install-recovery.sh

These are the important steps. If some of them fails, open another cmd console, go into the rooting script dir (yareftpt) and do:
adb push Superuser.apk /data/local/pwn/Superuser.apk
adb push busybox /data/local/pwn/busybox
adb push su /data/local/pwn/su

Go back to the other cmd window and repeat (5. form this update)
cat /data/local/pwn/su > /system/xbin/su
ln -s /system/xbin/su /system/bin/su
.....
.....
.....
from above.

Some of you reported that after factory reset, they have succeeded. Factory reset should not play any role, but you can try it.



===========================
I have root exploit, works for OTA1, OTA2.x
It is only a script, no binary executable of any kind (except the standard root tools: Superuser.apk, busybox, etc i took them form the first root exploit from @djrbliss).
I have working version version for linux and windows.
Thanks,

p.s, Lenovo can fix this exploit silently (you wont even noticed it ...  they can actually do whatever they want on your tablet) through "Mobility Manager".
So, do not start the app if you want root. (though there is part of "mobility manager"  running as background process, it seems to be more harmful, if you start the app explicitly)

[/code]

Great to hear that!!!Just want to know what do you mean by do not start  mobility  manager ?

I am on OTA2 now since I went to lenovo service center ask for repair by "can not update",then they change a new main board for me which been already OTA2. And I have open mobility manager many time by trying the root from dan  . which I already know won't work ,just have a  try.

 I do not have  android sys experience,but if  there is any help I can do for you please just tell me.

Excellent news. Thanks on behalf of those still needing root.

Please post your results after you try the opd exploit (opdecirkel). This topic will become the guide to the opd exploit.

Great news, I am glad to hear that a new exploit has been found.

The exploit uses the following things:
1. If you enable USB Debuging, the setting is stored in persistent property, and the init.rc in recovery starts adb if persist.service.adb.enable=1
2. if you wipe cache (in recovery), it is immediately recreated and /cache/recovery with rwxrwxrwx perms. Also there is file log file created there, etc ... this is all clear from the scripts ....

Here is the part that needs new idea:
In OTA1 and some OTA2 (WE confirmed for now), the /system partition is not mounted properly in recovery during init. And even adb is running, i can not get shell to run a command (ln, rm, etc). The only thing i can do is pull, push (... things that do  not need /system/bin/sh).
However, if you select update package, the partition is mounted properly (by the update-binary), but this would work only when you install update.  Does somebody have idea how to fix this so that we can root those guys too with this exploit?

Note: On next normal boot (after cache wipe in recovery), during init (before adb is started) the permissions of /cache are fixed, so that shell user does not have access to it.

howdy, thanks for your work on this!  i just tried it, and it doesn't work for me (- exec '/system/bin/sh' failed: No such file or directory (2) -), but i was thinking: you mention the /system partition is mounted properly when using an update package: is it possible to create one, or a series, of "update.zip" files for the commands in your script?  i don't know anything about this stuff, so bear with me:

1) boot into recovery, wipe cache, apply update.zip (which has the two commands in the script)
2) once the update.zip is installed, disable battery discharge, apply update2.zip

would something like that be possible?

*EDIT*
currently running ThinkPadTablet_A310_02_0039_0086_US

It WORKS!,  Root for everybody (even those stuck on OTA1) !!!
instructions updated.

1. Just get from http://download.lenovo.com/slates/think/tablet1/ your current update
2. rename it to update.zip and put it on external sd card (not the internal one),
3. In recovery, before wiping out the cache, go to apply update, and try to apply it. It will fail but will mount the /system partition
(i have to update the script to use absolute paths to the commands: instead adb shell 'ln ... ' use adb shell '/system/bin/ln ...', etc since in some cases (OTA1) the system PATH is not correct)
4. run the modified exploit script

still not working.

when I try apply the update.zip (0089ROW),it installed everytime,won't fail.

and after that  get

- exec '/system/bin/sh' failed: No such file or directory (2) -
- exec '/system/bin/sh' failed: No such file or directory (2) -

So I use another update.zip (0074ROW) ,it was failed.

and next step won't get "No such file or directory"

but my TPT won't restart auto.I manually restart get everything show "ready only".